b'                                                                               Issue Date\n                                                                                 November 14, 2007\n                                                                               Audit Case Number\n                                                                                  2008-FO-0003\n\n\n\n\nTO:             John W. Cox, Chief Financial Officer, F\n\n\nFROM:           Robert A. McGriff, Director, Financial Audits Division, GAF\n\nSUBJECT: Additional Details to Supplement Our Report on HUD\xe2\x80\x99s Fiscal Years 2007\n           and 2006 Financial Statements\n\n                                            HIGHLIGHTS\n\n What We Audited and Why\n\n                 We are required to annually audit the consolidated financial statements of the U.S.\n                 Department of Housing and Urban Development (HUD) in accordance with the\n                 Chief Financial Officers Act of 1990, as amended. Our report on HUD\xe2\x80\x99s fiscal\n                 years 2007 and 2006 financial statements is included in HUD\xe2\x80\x99s Fiscal Year 2007\n                 Performance and Accountability Report. This report supplements our report on\n                 the results of our audit of HUD\xe2\x80\x99s principal financial statements for the fiscal years\n                 ending September 30, 2007, and September 30, 2006. Also provided are\n                 assessments of HUD\xe2\x80\x99s internal controls and our findings with respect to HUD\xe2\x80\x99s\n                 compliance with applicable laws and regulations, and provisions of contracts and\n                 grant agreements1.\n\n\n\n\n    1\n      Additional details relating to the Federal Housing Administration (FHA), a HUD component, are not included\nin this report but are included in the accounting firm of Urbach Kahn and Werlin LLP\xe2\x80\x99s audit of FHA\xe2\x80\x99s financial\nstatements. That report has been published in our report, Audit of Federal Housing Administration Financial\nStatements for Fiscal Years 2007 and 2006 (2008-FO-0002, dated November 08, 2007).\n\n    Additional details relating to the Government National Mortgage Association, (Ginnie Mae), another HUD\ncomponent, are not included in this report but are included in the accounting firm of Carmichael Brasher Tuvell and\nCompany\xe2\x80\x99s audit of Ginnie Mae\xe2\x80\x99s financial statements. That report has been published in our report, Audit of\nGovernment National Mortgage Association Financial Statements for Fiscal Years 2007 and 2006 (2008-FO-0001,\ndated November 07, 2007).\n\x0cWhat We Found\n\n         In our opinion, HUD\xe2\x80\x99s fiscal years 2007 and 2006 financial statements were fairly\n         presented. Our opinion on HUD\xe2\x80\x99s fiscal years 2007 and 2006 financial\n         statements is reported in HUD\xe2\x80\x99S Fiscal Year 2007 Performance and\n         Accountability Report. The other auditors and our audit also disclosed:\n\n         \xe2\x80\xa2   Material weaknesses in internal controls related to the need to\n             \xe2\x88\x92 Develop a risk assessment and systems development plan for FHA\xe2\x80\x99s\n                Home Equity Conversion Mortgage (HECM) systems and transactions;\n                and\n             \xe2\x88\x92 Enhance the HECM credit subsidy cash flow model.\n\n         \xe2\x80\xa2   Significant deficiencies in internal controls related to the need to\n             \xe2\x88\x92 Comply with federal financial management systems requirements;\n             \xe2\x88\x92 Continue improvements in the oversight and monitoring of subsidy\n                calculations and intermediaries program performance;\n             \xe2\x88\x92 Improve the budgeting and funds control process for Section 8 project-\n                based contracts;\n             \xe2\x88\x92 Improve the processes for reviewing obligation balances;\n             \xe2\x88\x92 Further strengthen controls over HUD\xe2\x80\x99s computing environment;\n             \xe2\x88\x92 Improve personnel security practices for access to the Department\xe2\x80\x99s\n                critical financial systems;\n             \xe2\x88\x92 Strengthen FHA system security controls; and\n             \xe2\x88\x92 Improve Ginnie Mae\xe2\x80\x99s programs compliance and controls regarding\n                monitoring of issuers.\n\n         Our findings include the following instance of non-compliance with applicable\n         laws, regulations, and provisions of contracts and grant agreements:\n\n             HUD did not substantially comply with the Federal Financial Management\n             Improvement Act regarding system requirements and applicable accounting\n             standards.\n\n         The audit also identified $342.3 million in excess obligations recorded in HUD\xe2\x80\x99s\n         records. Moreover, HUD could have recaptured another $580 million from\n         expired project-based Section 8 contracts instead of recapturing funds from active\n         long-term contracts. These amounts represent funds that HUD could put to better\n         use.\n\nWhat We Recommend\n\n\n         Most of the issues described in this report represent long-standing weaknesses.\n         We understand that implementing sufficient change to mitigate these matters is a\n         multiyear task due to the complexity of the issues and the impediments to change.\n\n\n                                          2\n\x0c          In this and in prior years\xe2\x80\x99 audits of HUD\xe2\x80\x99s financial statements, we have made\n          recommendations to HUD\xe2\x80\x99s management to address these issues. Our\n          recommendations from the current audit, as well as those from prior years\xe2\x80\x99 audits\n          that remain open, are listed in Appendix B of this report.\n\n          For each recommendation without a management decision, please respond and\n          provide status reports in accordance with HUD Handbook 2000.06, REV-3.\n\n\nHUD\xe2\x80\x99s Response\n\n\n          The complete text of the agency\xe2\x80\x99s response can be found in Appendix E. This\n          response, along with additional informal comments, was considered in preparing\n          the final version of this report.\n\n\n\n\n                                          3\n\x0c                      TABLE OF CONTENTS\n\nHighlights                                                                 1\n\nInternal Control                                                           5\n\nCompliance with Laws and Regulations                                      31\n\nAppendixes\n   A. Objectives, Scope, and Methodology                                  33\n   B. Recommendations                                                     35\n   C. FFMIA Noncompliance, Responsible Program Offices, and Recommended   37\n      Remedial Actions\n   D. Schedule of Questioned Costs and Funds Put to Better Use            50\n   E. Agency Comments                                                     51\n   F. OIG Evaluation of Agency Comments                                   54\n\n\n\n\n                                        4\n\x0c                                    Internal Control\n\nSignificant Deficiency: HUD Financial Management Systems Need to Comply\nwith Federal Financial Management System Requirements\n\nAs reported in prior years, the HUD is not in full compliance with federal financial management\nrequirements. Specifically, it has not completed development of an adequate integrated financial\nmanagement system. HUD is required to implement a unified set of financial systems and the\nfinancial portions of mixed systems encompassing the software, hardware, personnel, processes\n(manual and automated), procedures, controls, and data necessary to carry out financial\nmanagement functions, manage financial operations of the agency, and report on the agency\xe2\x80\x99s\nfinancial status to central agencies, Congress, and the public. As currently configured, HUD\nfinancial management systems do not meet the test of being unified. The Federal Financial\nSystem Integration Office defines \xe2\x80\x9cunified\xe2\x80\x9d as meaning that the systems are planned for and\nmanaged together, operated in an integrated fashion, and linked electronically to efficiently and\neffectively provide agency wide financial system support necessary to carry out the agency\xe2\x80\x99s\nmission and support the agency\xe2\x80\x99s financial management needs.\n\nHUD\xe2\x80\x99s financial systems, many of which were developed and implemented before the issue date\nof current standards, were not designed to perform or provide the range of financial and\nperformance data currently required. The result is that HUD, on a department wide basis, does\nnot have unified and integrated financial management systems that are compliant with current\nfederal requirements or provide HUD the information needed to effectively manage its\noperations on a daily basis. This impairs management\xe2\x80\x99s ability to perform required financial\nmanagement functions; efficiently manage the financial operations of the agency; and report, on\na timely basis, the agency\xe2\x80\x99s financial results, performance measures, and cost information.\n\n FFMIA Requires HUD to\n Implement a Compliant Financial\n Management System\n\n\n              The Federal Financial Management Improvement Act of 1996 (FFMIA) requires,\n              among other things, that HUD implement and maintain financial management\n              systems that substantially comply with federal financial management system\n              requirements. The financial management system requirements also include\n              implementing information system security controls. These requirements are\n              detailed in the Federal Financial Management System Requirements series issued\n              by the Joint Financial Management Improvement Program/Financial System\n              Integration Office (JFMIP/FISO) and in Circular No. A-127, Financial\n              Management Systems, issued by the Office of Management and Budget (OMB).\n              Circular A-127 defines a single integrated financial management system as a\n              unified set of financial systems and the financial portions of mixed systems (e.g.,\n              acquisition) encompassing the software, hardware, personnel, processes (manual\n              and automated), procedures, controls, and data necessary to carry out financial\n\n\n\n                                                5\n\x0c           management functions, manage the financial operations of the agency, and report\n           on the agency\xe2\x80\x99s financial status.\n\n\n           As in previous audits of HUD\xe2\x80\x99s financial statements, in fiscal year 2007 there\n           continued to be instances of noncompliance with federal financial management\n           system requirements. These instances of noncompliance have given rise to\n           significant management challenges that have: (1) impaired management\xe2\x80\x99s ability\n           to prepare financial statements and other financial information without extensive\n           compensating procedures, (2) resulted in the lack of reliable, comprehensive\n           managerial cost information on its activities and outputs, and (3) limited the\n           availability of information to assist management in effectively managing\n           operations on an ongoing basis.\n\n\nHUD\xe2\x80\x99s Financial Systems Are\nNot Adequate\n\n           As reported in prior years, HUD does not have financial management systems that\n           enable it to generate and report the information needed to both prepare financial\n           statements and manage operations on an ongoing basis accurately and timely. To\n           prepare consolidated department wide financial statements, HUD required Federal\n           Housing Administration (FHA), the Government National Mortgage Association\n           (Ginnie Mae), and the Office of Federal Housing Enterprise Oversight to submit\n           financial statement information on spreadsheet templates, which were loaded into\n           a software application. In addition, all consolidating notes and supporting\n           schedules had to be manually posted, verified, reconciled, and traced. To\n           overcome these systemic deficiencies with respect to preparation of its annual\n           financial statements, HUD was compelled to rely on extensive compensating\n           procedures that were costly, labor intensive, and not always efficient.\n\n           Due to a lengthy HUD Integrated Financial Management Improvement Project\n           (HIFMIP) procurement process and lack of funding for other financial application\n           initiatives, there were no significant changes made in fiscal year 2007 to HUD\xe2\x80\x99s\n           financial management processes. As a result the underlying system limitations\n           identified in past years remain. The functional limitations of the three\n           applications (HUDCAPS, LOCCS and PAS) performing the core financial system\n           function for HUD are dependent on its data mart and reporting tool to complete\n           the accumulation and summarization of data needed for U.S. Department of the\n           Treasury and OMB reporting.\n\n   HUD\xe2\x80\x99s Financial Systems do not\n   Provide Managerial Cost Data\n\n\n\n           In fiscal year 2006 the Government Accountability Office (GAO) reported in\n           GAO-06-1002R Managerial Cost Accounting Practices that HUD\xe2\x80\x99s financial\n\n\n                                            6\n\x0csystems do not have the functionality to provide managerial cost accounting\nacross its programs and activities. This lack of functionality has resulted in the\nlack of reliable and comprehensive managerial cost information on its activities\nand outputs. HUD lacks an effective cost accounting system that is capable of\ntracking and reporting costs of HUD\xe2\x80\x99s programs in a timely manner to assist in\nmanaging its daily operations. This condition renders HUD unable to produce\nreliable cost-based performance information.\n\nHUD officials have indicated that various cost allocation studies and resource\nmanagement analyses are required to determine the cost of various activities\nneeded for mandatory financial reporting. However, this information is widely\ndistributed among a variety of information systems, which are not linked and\ntherefore cannot share data. This makes the accumulation of cost information\ntime consuming, labor intensive, untimely, and ultimately makes that cost\ninformation not readily available. Budget, cost management, and performance\nmeasurement data are not integrated because HUD:\n\n\xe2\x80\xa2   Did not interface its budget formulation system with its core financial system;\n\n\xe2\x80\xa2   Lacks the data and system feeds to automate a process to accumulate, allocate,\n    and report costs of activities on a regular basis for financial reporting needs, as\n    well as internal use in managing programs and activities;\n\n\xe2\x80\xa2   Does not have the capability to derive current full cost for use in the daily\n    management of Department operations; and\n\n\xe2\x80\xa2   Requires an ongoing extensive quality initiative to ensure the accuracy of the\n    cost aspects of its performance measures as they are derived from sources\n    outside the core financial system.\n\nWhile HUD has modified its resource management application to enhance its cost\nand performance reporting for program offices and activities, the application does\nnot use core financial system processed data as a source. Instead, HUD uses a\nvariety of applications, studies, and models to estimate the cost of its program\nmanagement activities. One of these applications, TEAM/REAP, was designed\nfor use in budget formulation and execution, strategic planning, organizational\nand management analyses, and ongoing management of staff resources. It was\nenhanced to include an allocation module that added the capability to tie staff\ndistribution to strategic objectives, the President\xe2\x80\x99s Management Agenda, and\nHUD program offices\xe2\x80\x99 management plans. HUD also concluded a pilot program\nof this functionality in fiscal year 2007.\n\nAdditionally, HUD has developed time codes and an associated activity for nearly\nall HUD program offices to allow automated cost allocation to the program office\nactivity level. HUD has indicated that the labor costs that will be allocated to\nthese activities will be obtained from the HUD payroll service provider.\n\n\n\n                                  7\n\x0c             However, because the cost information does not pass through the general ledger,\n             current federal financial management requirements are not met.\n\n\nFinancial Systems do not Provide\nfor Effective and Efficient\nFinancial Management\n\n\n             During fiscal year 2007, HUD\xe2\x80\x99s financial information systems did not allow it to\n             achieve its financial management goals in an effective and efficient manner in\n             accordance with current federal requirements. To perform core financial system\n             functions, HUD depends on three major applications, in addition to a data\n             warehouse and a report-writing tool. Two of the three applications that perform\n             core financial system functions require significant management oversight and\n             manual reconciliations to ensure accurate and complete information. HUD\xe2\x80\x99s use\n             of multiple applications to perform core financial system functions further\n             complicates financial management and increases the cost and time expended.\n             Extensive effort is required to manage and coordinate the processing of\n             transactions to ensure the completeness and reliability of information.\n\n\n             While the FHA Subsidiary Ledger (FHA SL) project did provide for funds control\n             checks on transactions as they were posted to the general ledger, this check\n             occurred after the decision to guarantee, obligate, or disburse was made. Current\n             federal requirements state that the funds control checks should be performed\n             before issuing a loan guarantee, approving a disbursement, or in some way\n             binding the government to an obligation. Until its business systems are re-\n             engineered or replaced, FHA will have to continue to rely on daily or month-end\n             funds control checks for most of its legacy system transactions.\n\n\n             Additionally, the interface between the core financial system and HUD\xe2\x80\x99s\n             procurement system does not provide the required financial information. The\n             procurement system interface with HUDCAPS does not contain data elements to\n             support the payment and closeout processes. Also, the procurement system does\n             not interface with LOCCS and PAS. Therefore, the processes of fund\n             certification, obligation, de-obligation, payment, and close out of transactions that\n             are paid out of the LOCCS system are all completed separately, within either PAS\n             or LOCCS. This lack of compliance with federal requirements impairs HUD\xe2\x80\x99s\n             ability to effectively monitor and manage its procurement actions.\n\n\n             As previously noted, FHA\xe2\x80\x99s financial management system\xe2\x80\x99s environment needed\n             enhancements to more effectively support FHA\xe2\x80\x99s insurance, cash management,\n             and budget processes. FHA is in the process of upgrading and integrating its\n             mixed and feeder financial systems. Its progress was slowed in fiscal year 2007\n             due to a lack of available funding.\n\n\n\n                                               8\n\x0c   HUD Plans to implement a\n   Department Wide Core Financial\n   System\n\n              HUD plans to implement a commercial federal certified core financial system and\n              integrate the current core financial system into one Department-wide core\n              financial system. Additional subsidiary systems will also be integrated to the\n              departmental system by fiscal year 2012. HUD is initiating business process\n              engineering work to ensure a smooth transition to a single integrated core\n              financial system. FHA and Ginnie Mae have already implemented a compatible\n              and compliant system to support the transition to the enterprise core financial\n              system. HUD\xe2\x80\x99s OCFO has completed the planning and requirements stage. A\n              significant effort during the ongoing phased approach is to assess the financial,\n              programmatic, and mixed systems operating on multiple disparate platforms that\n              provide information to the financial systems. The assessments include developing\n              a plan to standardize and migrate financial functions to the enterprise core\n              financial system to support HUD\'s planned enterprise architecture goals to align\n              with the major segment architectures that support HUD\'s major business\n              processes. HUD plans to select a qualified shared service provider to host the\n              enterprise system and integrate the four financial systems (HUD, FHA, Ginnie\n              Mae, and OFHEO) into a single system by fiscal year 2012. OCFO and FHA\n              plans to transition and integrate to a single system in the fiscal year 2009 or 2010\n              time period; Ginnie Mae plans to integrate to the enterprise system in fiscal year\n              2010 and OFHEO plans to transition in either fiscal year 2011 or 2012.\n              Achieving integrated financial management for HUD will result in a reduction in\n              the total number of systems maintained, provide online, real-time information for\n              management decision-making, enable HUD to participate in E-government\n              initiatives, and align with HUD\'s Information Technology (IT) modernization\n              goals.\n\n\n\nSignificant Deficiency: HUD Management Must Continue to Improve\nOversight and Monitoring of Subsidy Calculations and Intermediaries\xe2\x80\x99\nProgram Performance\nUnder the provisions of the U.S. Housing Act of 1937, HUD provides housing assistance funds\nthrough various grant and subsidy programs to multifamily project owners (both nonprofit and\nfor profit) and housing authorities. These intermediaries, acting for HUD, provide housing\nassistance to benefit primarily low-income families and individuals (households) that live in\npublic housing, Section 8 and Section 202/811 assisted housing, and Native American housing.\nIn fiscal year 2007, HUD spent about $27 billion to provide rent and operating subsidies that\nbenefited more than four million households.\n\nSince 1996, we have reported on weaknesses with the monitoring of the housing assistance\nprogram\xe2\x80\x99s delivery and the verification of subsidy payments. We focused on the impact these\nweaknesses had on HUD\xe2\x80\x99s ability to (1) ensure intermediaries are correctly calculating housing\n\n\n                                               9\n\x0csubsidies and (2) verify tenant income and billings for subsidies. During the past several years,\nHUD has made progress in correcting this deficiency. In 2007, HUD continued utilizing the\ncomprehensive consolidated reviews in the Office of Public and Indian Housing\xe2\x80\x99s (PIH) efforts\nto address public housing authorities\xe2\x80\x99 (PHA) improper payments and other high-risk elements.\nHUD\xe2\x80\x99s continued commitment to the implementation of a comprehensive program to reduce\nerroneous payments will be essential to ensuring that HUD\xe2\x80\x99s intermediaries are properly carrying\nout their responsibility to administer assisted housing programs according to HUD requirements.\n\nThe Department has demonstrated improvements in its internal control structure to address the\nsignificant risk that HUD\xe2\x80\x99s intermediaries are not properly carrying out their responsibility to\nadminister assisted housing programs according to HUD requirements. HUD\xe2\x80\x99s increased and\nimproved monitoring has resulted in a significant decline in improper payment estimates over the\nlast five years. However, HUD needs to continue to place emphasis on its on-site monitoring\nand technical assistance to ensure that acceptable levels of performance and compliance are\nachieved and periodically assess the accuracy of intermediaries rent determinations, tenant\nincome verifications, and billings.\n\nTenant income is the primary factor affecting eligibility for housing assistance, the amount of\nassistance a family receives, and the amount of subsidy HUD pays. Generally, HUD\xe2\x80\x99s subsidy\npayment makes up the difference between 30 percent of a household\xe2\x80\x99s adjusted income and the\nhousing unit\xe2\x80\x99s actual rent or, under the Section 8 voucher program, a payment standard. The\nadmission of a household to these rental assistance programs and the size of the subsidy the\nhousehold receives depend directly on the household\xe2\x80\x99s self-reported income. However,\nsignificant amounts of excess subsidy payments occur because of intermediaries\xe2\x80\x99 rent\ndeterminations and undetected, unreported, or underreported income. By overpaying rent\nsubsidies, HUD serves fewer families. Every dollar paid in excess subsidies represents funds\nthat could have been used to subsidize other eligible families in need of assistance.\n\n\n\n HUD\xe2\x80\x99s estimate of erroneous payments rises in 2007\n\n\n              The estimate of erroneous payments that HUD reports in its Performance and\n              Accountability Report relates to HUD\xe2\x80\x99s inability to ensure or verify the accuracy\n              of subsidy payments being determined and paid to assisted households. This\n              year\xe2\x80\x99s contracted study of HUD\xe2\x80\x99s three major assisted housing programs\n              estimated that the rent determination errors made by the intermediaries resulted in\n              substantial subsidy overpayments and underpayments. The study was based on\n              analyses of a statistical sample of tenant files, tenant interviews, and income\n              verification data for activity that occurred during fiscal year 2006. This study\n              reports subsidy payment inconsistencies in which HUD incorrectly paid $954\n              million in annual housing subsidies, of which about $648 million was overpaid on\n              behalf of households paying too little rent and about $306 million was underpaid\n              on behalf of households paying too much rent based on HUD requirements. This\n              is a 3 percent increase in the gross erroneous payment in comparison to the prior\n              year. The estimate of erroneous payments is reported in HUD\xe2\x80\x99s Fiscal Year 2007\n              Performance and Accountability Report.\n\n\n                                               10\n\x0c         The estimate of erroneous payments this year also includes overpaid subsides\n         from underreported and unreported income and intermediaries\xe2\x80\x99 billings errors.\n         HUD estimated that housing subsidy overpayments from tenants misreporting\n         their income totaled an additional $377 million in overpayments during calendar\n         year 2006. During our testing of the initial error estimate results, we found\n         additional cases resulting in valid errors. Therefore, including the subsidy error\n         associated with the income from these cases, the revised estimate is $384 million.\n\n         HUD did not conduct a billings study during fiscal year 2007. Therefore, the\n         results of last year\xe2\x80\x99s study will carryover for this year\xe2\x80\x99s billings error estimate.\n         Based on the payment errors that were identified for the Office of Housing\xe2\x80\x99s\n         project-based Section 8 housing program, HUD reported an estimated $59 million\n         in program billings errors for fiscal year 2006. In addition, PIH reported its fiscal\n         year 2004 billings error estimate of $72 million for the Housing Choice Voucher\n         program.\n\n         Additionally, an operating subsidy estimate of $49 million was included in the\n         PIH billings estimate. Therefore, adding the Office of Housing\xe2\x80\x99s estimate of $59\n         million to the PIH estimate of $72 million for Section 8 and the $49 million for\n         operating subsidy resulted in a $180 million estimate of erroneous payments for\n         billings errors.\n\n         In addition to the Rental Housing Integrity Improvement Project (RHIIP)-related\n         estimates, HUD performed a risk assessment update on one third of all HUD\n         programs exceeding $40 million in expenditures (except those associated with the\n         RHIIP) to determine whether they are susceptible to significant erroneous or\n         improper payments. The OCFO performed a risk assessment on nine of HUD\xe2\x80\x99s\n         funded activities (programs). Eight of the nine programs were updated and\n         reevaluated for the current risk assessment. For the other program, Housing\n         Counseling Assistance, this is the first year that a risk assessment was conducted.\n         Although individual program risk ratings for the eight programs may have\n         changed slightly, none of the programs evaluated were considered susceptible to\n         significant improper payments for fiscal year 2006, as defined in OMB Circular\n         A-123, Appendix C, Part 1.\n\n         OMB Circular No. A-11, Section 57 had previously required an evaluation of the\n         error rates of specific programs listed for each agency. Two of the five programs\n         listed in Section 57 for HUD were included in their risk assessment. However,\n         they were not determined to be susceptible to significant improper payments.\n         Therefore, HUD will not be reporting an error rate for these programs.\n\n\nHUD needs to continue initiatives to detect\nunreported tenant income\n\n\n         The computer matching agreement between HUD\xe2\x80\x99s Office of Housing and the\n         Department of Health and Human Services (HHS) for use of the National\n\n\n                                          11\n\x0c          Directory of New Hires in the Enterprise Income Verification system (EIV) was\n          finalized in fiscal year 2007. An expansion of EIV to HUD\xe2\x80\x99s project-based\n          owners is planned for fiscal year 2008. EIV is a web-based system that compiles\n          tenant income information and makes it available online to HUD business\n          partners so that they may more accurately determine tenant income as part of the\n          process of setting rental subsidy. Currently, EIV matches tenant data against\n          Social Security Administration information, including Social Security Act\n          benefits and Supplemental Security Income, and with the HHS National Directory\n          of New Hires (NDNH) database, which provides information such as wages,\n          unemployment benefits, and W-4 (\xe2\x80\x9cnew hires\xe2\x80\x9d) data, on behalf of PIH and\n          Multifamily Housing programs. The EIV System is available to PHAs\n          nationwide, and all PHAs are encouraged to use and implement the Enterprise\n          Income Verification System in their day-to-day operations.\n\n\nHUD needs to continue progress on RHIIP initiatives\n\n\n          HUD initiated the RHIIP initiatives in fiscal year 2001 in an effort to develop\n          tools and the capability to minimize erroneous rental subsidy payments, which\n          includes the excess rental subsidy caused by unreported and underreported tenant\n          income. Since our last report, HUD has continued to make progress in\n          implementing several initiatives that address the problems surrounding housing\n          authorities\xe2\x80\x99 rental subsidy determinations, underreported income, and assistance\n          billings. However, HUD still needs to ensure that it fully utilizes automated tools\n          to detect rent subsidy processing deficiencies and identify and measure erroneous\n          payments.\n\n          During fiscal year 2006, HUD implemented an initiative to perform consolidated\n          reviews in order to reinforce PIH\xe2\x80\x99s effort in addressing PHA improper payments\n          and other high-risk elements. These reviews were also implemented to ensure the\n          continuation of the PIH\xe2\x80\x99s comprehensive monitoring and oversight of PHAs. In\n          fiscal year 2007, Tier 1 comprehensive reviews on 20 percent of the PHAs that\n          manage 80 percent of HUD\xe2\x80\x99s funds are mandatory. According to the Fiscal Year\n          2007 Management Plan directive, PIH identified 90 PHAs that receive 80 percent\n          of HUD\xe2\x80\x99s funding for the priority Tier 1 comprehensive reviews. Tier 2\n          comprehensive reviews of the remaining PHAs are optional, depending upon each\n          field office\xe2\x80\x99s resources. Tier 1 comprehensive reviews will include rental\n          integrity monitoring (RIM), RIM follow-up on Corrective Action Plans (CAPs),\n          EIV implementation and security, SEMAP confirmatory reviews, SEMAP quality\n          control reviews, EH&S spot-checks, MASS certifications, and civil rights limited\n          front-end reviews.\n\n          Documentation provided during our review showed that 98 Tier I reviews and 11\n          Tier II reviews were performed during fiscal year 2007. Because of the\n          deficiencies identified in the consolidated reviews, CAPs were implemented at 14\n          PHAs. At the end of our fieldwork, none of the CAPs from these reviews had\n          been closed out. Additionally, at the end of our fiscal year 2006 fieldwork we\n\n\n                                           12\n\x0c               noted that 16 CAPs were still open from the 2003-2004 RIM follow-up reviews.\n               During our fiscal year 2007 review, we determined that 14 of these CAPs are still\n               open because the respective PHA was either in receivership or in troubled status.\n               HUD must continue to assure that CAPs are implemented and closed out, thereby\n               assuring that the systemic errors identified during the reviews were corrected.\n\n               In prior years, we reported that the Public Housing Information Center system\n               (now known as the Inventory Management System) information was incomplete\n               and/or inaccurate because housing authority reporting requirements were\n               discretionary. This has been a long-standing deficiency. Therefore, PHAs have\n               been mandated to submit 100 percent of their family records to HUD\xe2\x80\x99s Public\n               Housing Information Center system (Inventory Management System) Form 50058\n               Module. In addition, PHAs must have a minimum reporting rate of 95 percent at\n               the time of their annual Form HUD 50058 reporting rate assessment or be subject\n               to sanctions. During our field review at four field offices, we noted 137 PHAs\n               that were not meeting the minimum 95 percent reporting rate. Since HUD uses\n               the tenant data from its Public Housing Information Center system (Inventory\n               Management System) for the income-matching program and program monitoring,\n               it is essential that the database have complete and accurate tenant information.\n               Therefore, until a more efficient and effective means of verifying the accuracy of\n               the data is developed, HUD needs to continue to emphasize the importance of\n               accurate reporting and proactively enforce sanctions against those PHAs that do\n               not follow the requirement.\n\n               HUD has made substantial progress in taking steps to reduce erroneous payments.\n               However, HUD must continue its regular on-site and remote monitoring of the\n               PHAs and use the results from the monitoring efforts to focus on corrective\n               actions when needed. We are encouraged by the on-going actions to focus on\n               improving controls regarding income verification, as well as HUD\xe2\x80\x99S plans\n               regarding CAPs, consolidated reviews, and the continual income and rent training\n               for HUD, owners, management agents, and PHA staff.\n\n\nSignificant Deficiency: HUD Needs to Improve its Budgeting and Funds\nControl Over Section 8 Project-based Contracts\n\nHUD\xe2\x80\x99s systems and controls for accounting, processing payments, monitoring, and budgeting for\nSection 8 project-based contracts need to be improved. HUD has been hampered in their ability\nto estimate funding requirements, process timely payments to project-based landlords, and to\nrecapture excess funds in a timely manner. This is evidenced in HUD\xe2\x80\x99s long-term challenges in\npaying Section 8 project-based landlords on a timely basis and properly monitoring and\naccurately accounting and budgeting for contract renewals. These historic problems with the\nSection 8 project-based program were further exacerbated and highlighted in fiscal year 2007\ndue to a change in the interpretation of the contract language used in the Section 8 project-based\nrenewal contracts and the movement of Section 8 project-based contracts from the HUDCAPS\naccounting system to the Program Accounting System (PAS) accounting system.\n\n\n\n\n                                               13\n\x0c           HUD currently administers over 18,000 housing assistance payment (HAP) contracts to\n           provide about 1.25 million low-income housing units. A total of 12,910 contracts,\n           covering over 915,000 housing units, are subject to annual renewals.\n\n    Violation of Antideficiency Act\n    may have occurred\n\n           Since the late 1990\xe2\x80\x99s HUD has incrementally funded annual Section 8 project based\n           contract renewals based on availability of funds. However, HUD performed a review of\n           the contract language and program funds control processes in fiscal year 2007 and took\n           the position that the incremental funding of contract renewals was not proper and that a\n           violation of the Antideficiency Act may have occurred2.\n\n           As of June 15, 2007, HUD had incurred legal obligations to disburse about $2.4 billion\n           on Section 8 housing assistance payment contracts for which it had not recorded the\n           associated obligations in its accounting system. This occurred because the legal\n           obligations created by the contracts exceeded the amount of budget authority initially\n           determined to be available to HUD. The amounts, in part, represented budget authority\n           that would be needed to fund payments on existing contracts that were expected to be\n           made during 2008. As of June 15, 2007, the recorded budget authority available to HUD\n           for these contracts was about $605 million. Additionally, the renewal of 3,928 contracts\n           expiring during fiscal year 2007 would require an additional $1.9 billion of budget\n           authority to cover payments expected to be made during fiscal year 2008.\n\n      HUD recaptured additional funds\n      to cover Section 8 needs\n\n\n           As a result, in July 2007, HUD faced funding needs of $4.75 billion in Section 8 project-\n           based funds to meet remaining fiscal year 2007 contract and rescission requirements.\n           HUD undertook a strategy to (1) fully fund the $2.4 billion in unrecorded obligations for\n           contracts already executed in 2007; (2) revise contract terms for pending renewals to\n           allow for $700 million in incremental funding; and (3) review existing expired and active\n           contracts for potential funds that could be used to cover Section 8 project-based funding\n           shortfalls and the $1.65 billion rescission mandated by Congress. While HUD was able\n           to find additional sources of funds through the recapture of excess funds from expired\n           and/or active long-term contracts, HUD was late in paying some project-based landlords.\n           Further, HUD\xe2\x80\x99s analysis of future funding needs did not consider excess funding on all\n           expired contracts.\n\n           Historically, HUD has annually performed a review to identify and recapture excess\n           funds from both expired long-term contracts and annual renewal contracts. HUD used\n           these recaptured excess funds to provide additional funds for contracts that were under-\n           funded or to meet rescissions mandated by Congress. Because of the projected 2007\n           shortfall in Section 8 project-based funds, HUD not only recaptured funds from expired\n\n2\n    As of the date of our report, HUD had not rendered a formal written legal opinion on this matter.\n\n\n                                                           14\n\x0c contracts, but also re-estimated the funding needs for the remaining active Section 8 long-\n term contracts, and recaptured $1.2 billion from contracts that were projected to have\n funds remaining at the end of their term.\n\nHUD\xe2\x80\x99s recapture\nmethodology needs revision\n\n However, our review showed that HUD\xe2\x80\x99s recapture methodology did not consider\n Section 8 project-based contracts that expired during fiscal year 2007 as a potential\n source for recaptures. We found that HUD could have recaptured up to $580 million\n from these expired contracts, in lieu of recapturing funds from active long-term contracts.\n We recommend that HUD revise its Section 8 project-based recapture methodology and\n recapture funds from Section 8 contracts that expired in the current fiscal year. HUD has\n undertaken a review to develop a more accurate estimate of funding requirements for its\n long-term Section 8 project-based contracts.\n\nA long-term financial management\nsystem solution is needed\n\n In addition, HUD still needs to develop a long-term financial management system\n solution to streamline and automate the overall Section 8 project-based budgeting,\n payment, and contract management process. HUD\xe2\x80\x99s process for renewing subsidy\n contracts is largely a manual and paper-based process. HUD lacks the internal processes\n to timely estimate the contract funding level on an ongoing basis. There is a lack of\n automated interfaces between the Office of Housing subsidiary records with the\n Department\xe2\x80\x99s general ledger for the control of program funds. This necessitates that\n HUD and its contractors make extensive use of ad hoc analyses and special projects to\n review Section 8 contracts. In fiscal year 2007 HUD initiated a project to eliminate their\n use of dual accounting systems, HUDCAPS and PAS, to monitor, make payments, and\n recapture funds for the Section 8 project-based contracts. Under this project, HUD\n transferred the accounting for 4,507 Section 8 contracts from HUDCAPS to PAS, thereby\n centralizing the Section 8 project-based contract inventory in one accounting system.\n However, difficulties were encountered in converting this data, which contributed to\n delays in payments to Section 8 landlords. In addition, as a result of revising contract\n terms for pending renewals and the resulting processing and execution, HUD was forced\n to delay payments to project-based landlords until contracts were fully executed. HUD\n sent out the 1,728 revised 2007 contracts for the fourth-quarter (July-September) to\n contract administrators during the first week of September 2007.\n\n In addition, we found that the quality of data in PAS needs to be improved and HUD\n needs to perform a review to ensure that PAS data used to compute obligation balances is\n accurate and reliable. Our review of the Section 8 project-based account balances\n showed deficiencies that raised concerns about the integrity and usefulness of PAS data\n for computing funding requirements for Section 8 project-based assistance contracts.\n Specifically, we noted that:\n\n\n\n                                         15\n\x0c        \xe2\x80\xa2   Funds totaling $5.2 million were recaptured from 1,122 projects that were reported in\n            PAS as having no available balance.\n\n        \xe2\x80\xa2   PAS data showed more than 14,000 funding lines with an initial contract date or\n            contract expiration date of \xe2\x80\x9cJanuary 1, 1900.\xe2\x80\x9d Of the total 14,000 funding lines, 2087\n            were reported in PAS as having $1.6 billion of available funds.\n\n        \xe2\x80\xa2   The month-to-date disbursement field equaled zero for more than 7000 contracts,\n            even though disbursements were made on these contracts in fiscal year 2007.\n\n        \xe2\x80\xa2   The contracted units reported in PAS differed from the number of units shown as\n            contracted in the Tenant Rental Assistance Certification System (TRACS).\n\n        On November 15, 2005 GAO reported3 similar concerns and recommended that HUD\n        streamline and automate the contract renewal process, better estimate and monitor\n        contract funding levels, and notify owners about expected late payments. HUD agreed\n        with the recommendations, but we found HUD has not fully implemented them.\n\n\n\nSignificant Deficiency: HUD Needs to Improve Processes for Reviewing\nObligation Balances\nHUD needs to improve controls over the monitoring of obligation balances to ensure they remain\nneeded and legally valid as of the end of the fiscal year. HUD\xe2\x80\x99s procedures for identifying and\ndeobligating funds that are no longer needed to meet its obligations were not always effective.\nThis has been a long-standing weakness. Our review of the 2007 year-end obligation balances\nshowed $342.3 million in excess funds that could be recaptured. We have been reporting\ndeficiencies in this area for several years and while HUD has been working to implement\nimproved procedures and information systems, progress has been slow. Major deficiencies\ninclude:\n\n        \xe2\x80\xa2   Timely reviews of unexpended obligations are not being performed, and\n\n        \xe2\x80\xa2   A lack of integration between accounting systems and the need for accurate databases\n            has hampered HUD\xe2\x80\x99s ability to evaluate unexpended Section 8, Rental Assistance\n            Payment, Rent Supplement, and Interest Reduction Program obligations.\n\nAnnually, HUD performs a review of unliquidated obligations to determine whether the\nobligations should be continued, reduced, or canceled. We evaluated HUD\xe2\x80\x99s internal controls\nfor monitoring obligated balances.\n\n\n\n\n3\n GAO-06-57 Project-Based Rental Assistance: HUD Should Streamline Its Processes to Ensure Timely Housing\nAssistance Payments, November 15, 2005\n\n\n                                                    16\n\x0c    Section 8 Programs\n\n\n                 Section 8 budget authority is generally available until expended. As a result,\n                 HUD should periodically assess budget needs and identify excess program\n                 reserves in the Section 8 programs as an offset to future budget requirements.\n                 Excess program reserves represent budget authority originally received, which\n                 will not be needed to fund the related contracts to their expiration. While HUD\n                 had taken some action to identify and recapture excess budget authority in the\n                 Section 8 programs, weaknesses in the review process and inadequate financial\n                 systems continue to hamper HUD\xe2\x80\x99s efforts.4 There is a lack of automated\n                 interfaces between the Office of Public and Indian Housing and the Office of\n                 Housing subsidiary records with the Department\xe2\x80\x99s general ledger for the control\n                 of program funds. This necessitates that HUD and its contractors make extensive\n                 use of ad hoc analyses and special projects to review Section 8 contracts for\n                 excess funds, which has hampered HUD\xe2\x80\x99s ability to identify excess funds\n                 remaining on Section 8 contracts in a timely manner.\n\n                 This fiscal year, the Office of Housing recaptured approximately $1.7 billion in\n                 unliquidated obligation balances in the Section 8 project-based program. Our\n                 review of the Section 8 project-based contracts showed an additional $172.1\n                 million of available contract/budget authority on 1,187 contracts that had\n                 expiration dates prior to October 1, 2006. Funds associated with these contracts\n                 should be recaptured.\n\n                 In August 2007, the Office of Public and Indian Housing performed a recapture of\n                 unexpended obligations on expired contracts in the Moderate Rehabilitation\n                 housing program totaling approximately $288.6 million, which is up from $171\n                 million recaptured in fiscal year 2006. The increase this fiscal year is due to the\n                 Office of Public and Indian Housing\'s revised recapture methodology which\n                 addressed several concerns that we expressed in prior years, including that excess\n                 reserves be recaptured from fully expired increments first, then followed by\n                 reserves from active funding increment lines. Since all funding increment lines\n                 are now subject to recapture, our review did not reveal any additional excess\n                 budget authority that should be recaptured.\n\n                 During fiscal year 2007, the Office of Public and Indian Housing performed an\n                 analysis of budget authority for the Section 8 tenant-based program and\n                 recaptured approximately $76.9 million of unexpended budget authority. These\n                 funds were generated, primarily, by recapturing the remaining funds for fiscal\n                 year 2004 and prior years. As of January 1, 2005, PIH requires the housing\n                 authorities to account for their over and under payments of funds in a Net\n                 Restricted Assets Account, and the balances are no longer reflected in the\n                 Department\xe2\x80\x99s general ledger. As a result, the Voucher Program no longer\n4\n For additional details pertaining to the deficiencies in HUD\xe2\x80\x99s Section 8 project-based accounting system, see the\nSignificant Deficiency: HUD Needs to Improve its Budgeting and Funds Control Over Section 8 project-based\nContracts.\n\n\n                                                        17\n\x0c        accounts for receivables and payables resulting from the year-end settlement\n        verification process and the use of housing authority reserve accounts has been\n        eliminated. Thus, the last official recapture was made for the Housing Choice\n        Voucher Program in fiscal year 2006. The only funds recaptured for this program\n        this fiscal year were those funds that were unavailable for recapture in fiscal year\n        2006.\n\nAdministrative/Other Program\nObligations\n\n\n        Requests for obligation reviews were forwarded by the Chief Financial Officer to\n        the program and administrative offices. The focus of the review was on program\n        obligations that exceeded a balance of $285,507 and administrative obligations\n        that exceeded $20,130. Excluding the Section 8 and Section 235/236 programs,\n        which undergo a separate review process by the program offices, the total dollar\n        amount of obligations identified for review in fiscal year 2007 totaled $605.5\n        million. Of that $605.5 million, HUD identified 2,890 transactions totaling $55.9\n        million for potential deobligation. We tested the 2,890 obligations above the\n        Department\xe2\x80\x99s review thresholds to determine whether the associated $55.9 million\n        balances had been deobligated in HUD\xe2\x80\x99s Central Accounting and Program\n        Accounting System. We found that, as of September 30, 2007, a total of 51\n        transactions with obligation authority of $7.2 million had not been deobligated.\n        The Department has initiated a process of closing these contracts and the\n        associated funding should be recaptured in fiscal year 2008. We noted a\n        concerted effort made by HUD during fiscal year 2007 to closeout contracts and\n        deobligate excess contract funds.\n\n\n   Rent Supplement and Rental\n   Assistance Payments\n\n\n        HUD is not recapturing excess undisbursed contract authority from the Rent\n        Supplement and Rental Assistance Payments programs in a timely manner. HUD\n        still needs to emphasize the periodic review of undisbursed contract authority\n        from the Rent Supplement and Rental Assistance Payments programs to ensure\n        the timely recapture of excess funds.\n\n        The Rent Supplement and Rental Assistance Payments programs were created\n        around 1965 and 1974, respectively. The Rent Supplement program and Rental\n        Assistance Payments operate much like the current project-based Section 8 rental\n        assistance program. Rental assistance is paid directly to multi-family housing\n        owners on behalf of eligible tenants\n\n        HUD\xe2\x80\x99s subsidiary ledgers show, for each fiscal year, the amount authorized for\n        disbursement and the amount that was disbursed under each project account.\n\n\n                                         18\n\x0c    Funds remain in these accounts until they are paid out or deobligated by the\n    accounting department. If the funds are not paid out or deobligated, the funds\n    remain on the books, overstating the required contract authority.\n\n    Our review showed that HUD developed and implemented procedures in fiscal\n    year 2006 to review quarterly the programs and associated contract authority\n    requirements. However, HUD still needs to emphasize and complete its reviews.\n    We performed a review of unliquidated obligations for the multifamily projects\n    accounts under the Rent Supplement and Rental Assistance programs. Our\n    review found $132.7 million in undisbursed contract authority from prior fiscal\n    years on 55 multifamily projects that should be recaptured. These projects had\n    been terminated, converted to Section 8, or opted out of the programs, but their\n    associated undisbursed funds had not been recaptured. HUD processed\n    adjustments to deobligate this $132.7 million of excess undisbursed contract\n    authority for Rent Supplement and Rental Assistance Payment programs in fiscal\n    year 2007.\n\n\nSection 236 Interest Reduction Program\n\n\n    The budget authority related to the Section 236 Interest Reduction Program is\n    included in the Statement of Budgetary Resources. This program is not\n    considered a major program and is categorized as one of HUD\xe2\x80\x99s \xe2\x80\x9cother programs\xe2\x80\x9d\n    in the various consolidating financial statements. The Section 236 Interest\n    Reduction Program was created under the National Housing Act, as amended, in\n    1968, and new activity was ceased during the mid-1970s. The contracts entered\n    into were typically up to 40 years in duration and more than 3,100 contracts\n    remain active. The activities carried out by this program include making interest\n    reduction payments directly to mortgage companies on behalf of multifamily\n    project owners. The obligations were established based upon permanent\n    indefinite appropriation authority and HUD was obligated to fund these contracts\n    for their duration. At the time it entered into the contracts, HUD was to record\n    obligations for the entire amount. Because of the age of the records and the\n    absence of sound financial practices at the time the program was active, HUD has\n    been forced to use the best information available to compute estimated future\n    payments to be made over the life of the loans. These estimates are the basis for\n    HUD\xe2\x80\x99s current recorded obligation balances necessary to fully fund the contracts\n    to their expiration. HUD adjusts the recorded obligations as it proceeds through\n    the term of the contracts in order to reflect better estimates of the financial\n    commitment. Factors that can change the budgetary requirements over time\n    include contract terminations, refinancing, and restructuring.\n\n    Deficiencies in the Section 236 Interest Reduction Program have been reported by\n    OIG in prior reports on the financial statements. The Offices of Housing and the\n    Chief Financial Officer have been hampered by historically poor record keeping\n    in their attempt to accurately account for unexpended Section 236 Interest\n\n\n\n                                    19\n\x0cReduction Program budget authority balances. In recent years, OIG noted that\nHUD made a series of corrective actions to address these deficiencies.\n\nIn response to fiscal year 2004\xe2\x80\x99s OIG report and OMB concerns, the Department\ninitiated a contract-by-contract review in August 2005 to identify underreported,\nas well as over reported balances, and support the Section 236 contract and budget\nauthority. In 2006, HUD developed and implemented procedures for quarterly\nreconciling of its obligation account. This action resulted in HUD identifying\npotential recaptures of $204 million from 169 contracts that were either\nterminated or prepaid. HUD also completed a contract-by-contract review of 51\nprojects with contract terms that HUD had previously assumed were 50 years.\nBased on this review, HUD revised the contract terms for all of the 51 projects\nfrom 50 years to an average 41 years, which resulted in HUD deobligating $118\nmillion for the 51 projects.\n\nThis year\xe2\x80\x99s OIG review of the Interest Reduction Program noted continuing\nprogress in HUD\'s processes for reviewing obligations. In response to last year\'s\nOIG report, HUD completed a reconciliation review with service providers for\n266 contracts, which resulted in HUD identifying and deobligating over $69\nmillion of excess obligation balances. However, our review disclosed that further\nimprovements in HUD\xe2\x80\x99s processes are needed to ensure Section 236 IRP\nobligations are valid and can be more accurately estimated and reported.\n\nWe identified 16 inactive Section 236 Interest Reduction Program contracts with\nover $5.5 million in excess contract and budget authority that could be\ndeobligated. These 16 contracts had been prepaid and terminated from the\nprogram. HUD agreed and processed adjustments to deobligate $4.0 million in\nfiscal year 2007 and plan to deobligate $1.5 million in fiscal year 2008.\n\nIn addition, we identified 20 contracts with overestimated funding requirements\nof $13.6 million. This total includes $4.9 million for 16 duplicate contracts that\nwere recorded in the subsidiary ledger and $8.7 million associated with 4\ncontracts with inaccurate payment schedules. HUD agreed and processed\nadjustments to deobligate $6.3 million in fiscal year 2007 and plans to deobligate\nthe remaining balance of $7.3 million in fiscal year 2008 for two contracts with\ninaccurate payment schedules.\n\nMoreover, we identified an invalid project designated in HUD\'s subsidiary ledger\nas project "999999." An account balance of $11.2 million was shown in the\nsubsidiary leader as an obligation for project "999999," but it was not tied to any\nspecific valid contracts. HUD used obligated balances in this account to fund\nadjustments resulting from a contract review it implemented in fiscal year 2006.\nWhile the contract review was almost complete, and the need for this account had\ndiminished in fiscal year 2007, HUD retained the obligated balances in this\naccount, resulting in an overstatement of the required contract authority for the\nSection 236 Interest Reduction Payment program. HUD agreed that balances in\nproject "999999" were not supported by any valid contract and processed an\n\n\n\n                                20\n\x0c               adjustment to deobligate the unsupported balance of $11.2 million in this account\n               in fiscal year 2007.\n\n       The deficiencies in the Section 236 program occurred because of the dynamics of the\n       program, including continuing unpredictable changes in project status, which rendered\n       HUD\'s recently implemented quarterly contract review procedure as ineffective in\n       providing timely monitoring updates on the project status. HUD needs to improve its\n       quarterly contract reconciliation procedure by including a periodic review of its\n       subsidiary ledgers to ensure that contract and budget authority for the Section 236\n       Interest Reduction Program are valid and estimates are accurately reported.\n\n       For the Department\xe2\x80\x99s administrative and other program funds, HUD needs to promptly\n       perform contract closeout reviews and recapture the associated excess contract authority\n       and imputed budget authority. In addition, HUD needs to address data and systems\n       weaknesses to ensure that all contracts are considered in the recapture/shortfall budget\n       process including Rent Supplement and Rental Assistance Programs.\n\nWith respect to project-based Section 8 contracts, we recommended in our audit of the\nDepartment\xe2\x80\x99s fiscal year 1999 financial statements that systems be enhanced to facilitate timely\ncloseout and recapture of funds. In addition, we recommended that the closeout and recapture\nprocess occur periodically during the fiscal year, and not just at year-end. Implementation of the\nrecommendations is critical so that excess budget authority can be recaptured in a timely manner\nand considered in formulating requests for new budget authority.\n\n\n\n\nSignificant Deficiency: Controls over HUD\xe2\x80\x99s Computing Environment Can Be\nFurther Strengthened\nHUD\xe2\x80\x99s computing environment, data centers, networks, and servers provide critical support to\nall facets of the Department\xe2\x80\x99s programs, mortgage insurance, servicing, and administrative\noperations. In prior years, we reported on various weaknesses with general system controls and\ncontrols over certain applications, as well as weak security management. These deficiencies\nincrease risks associated with safeguarding funds, property, and assets from waste, loss,\nunauthorized use, or misappropriation.\n\nWe evaluated selected information systems general controls of the Department\xe2\x80\x99s computer\nsystems on which HUD\xe2\x80\x99s financial systems reside. Our review found information systems\ncontrol weaknesses that could negatively affect the integrity, confidentiality, and availability of\ncomputerized data. Presented below is a summary of the control weaknesses found during the\nreview.\n\n\n\n\n                                                 21\n\x0c                                       Entity-wide Security Program\n\n        HUD has made strides toward implementing a compliant entity wide security program as\n        required by the Federal Information Security Management Act of 2002 (FISMA). HUD\n        has developed guidance, conducted meetings and provided training to program officials\n        to ensure security policies are properly implemented at the program and system level.\n        However, additional progress is needed. Specifically, we found that:\n\n\n\n        HUD\xe2\x80\x99s Certification and Accreditation Process Needs Further Improvement.\n\n        While HUD has made progress on updating security plans and risk assessments for major\n        applications, and correcting security weaknesses for general support systems, HUD\xe2\x80\x99s\n        certification and accreditation process needs further improvement. For example,\n\n        \xe2\x80\xa2    In fiscal year 2007, HUD made significant changes to two general support systems;\n             however, HUD did not perform a full test of the implemented security controls.\n             Further, HUD did not perform a security impact assessment on these changes or\n             update related security documents to reflect these changes.\n\n        \xe2\x80\xa2    HUD placed systems into production before they were fully certified and accredited,\n             and before a comprehensive assessment of the management, operational and technical\n             controls in the systems was completed.\n\n        \xe2\x80\xa2    HUD did not ensure that all non-major applications were covered by the certification\n             and accreditation of the underlying general support system, and did not document the\n             additional required security controls for these non-major applications.\n\n        \xe2\x80\xa2    HUD\xe2\x80\x99s major applications still have many delayed weaknesses with no corrective\n             action plan and/or new projected completion dates. There are weaknesses that remain\n             open since fiscal year 2003.\n\n        Additional Actions are Needed to be in Full Compliance with Federal Information\n        Security Requirements.\n\n        \xe2\x80\xa2    HUD\xe2\x80\x99s Office of Information Technology Security identified 195 HUD systems that\n             require an e-authentication risk assessment5. However, HUD program offices and\n\n\n5\n  E-authentication is the process of establishing confidence in user identities electronically presented to an\ninformation system. To successfully implement a government service electronically (or e-government), Federal\nagencies must determine the required level of assurance in the authentication for each transaction. This is\naccomplished through a risk assessment for each transaction. The assessment identifies risks and their likelihood of\n\n\n                                                        22\n\x0c             system owners have not completed e-authentication risk assessments for 149 systems,\n             of which 33 are financial management systems.\n\n         \xe2\x80\xa2   HUD has not fully implemented all technical controls required by the Office of\n             Management and Budget (OMB) to protect personally identifiable information.6 The\n             technical controls include encryption for laptops and two-factor authentication on all\n             enterprise remote access solutions.\n\n         \xe2\x80\xa2   HUD has not disconnected obsolete systems from HUD\xe2\x80\x99s network and removed these\n             systems from HUD\xe2\x80\x99s inventory of automated systems in a timely manner. In\n             addition, we noted that system owners did not include a system in HUD\xe2\x80\x99s inventory\n             of automated systems even though the system contains personally identifiable\n             information. This issue was reported in OIG\xe2\x80\x99s audit report number 2007-DP-0006,\n             \xe2\x80\x9cReview of HUD\xe2\x80\x99s Personal Identity Verification and Privacy Program,\xe2\x80\x9d dated\n             August 28, 2007.\n\n         \xe2\x80\xa2   HUD did not ensure that systems containing personally identifiable information were\n             categorized as moderate or high-risk impact level, as required by OMB Memorandum\n             M-07-16 \xe2\x80\x9cSafeguarding Against and Responding to the Breach of Personally\n             Identifiable Information.\xe2\x80\x9d In addition, HUD did not report every incident involving\n             personally identifiable information to the United States Computer Emergency\n             Readiness Team (US-CERT) within one hour of discovering the incident.\n\n         \xe2\x80\xa2   Additional details can be found in a previously issued OIG memorandum, Audit\n             Memorandum No. 2007- DP-0801, \xe2\x80\x9cOIG Response to Questions from the Office of\n             Management and Budget under Federal Information Security Management Act of\n             2002,\xe2\x80\x9d dated September 28, 2007. We also plan to issue a separate detailed audit\n             report on HUD\xe2\x80\x99s entity-wide security program.\n\n\n                                    HUD\xe2\x80\x99s Network Environment\n         A number of weaknesses in HUD\xe2\x80\x99s network security were found during a vulnerability\n         assessment performed by the OIG. We concluded from our assessment that, although\n         HUD has implemented controls to protect its network from external intruders; internal\n         testing identified security configuration and technical control deficiencies. For example,\n         we found that:\n\n\n\noccurrence. Source: OMB Memorandum M-04-04, \xe2\x80\x9cE-Authentication Guidance for Federal Agencies,\xe2\x80\x9d dated\nDecember 16, 2003\n6\n  The term Personally Identifiable Information means any information about an individual maintained by an agency,\nincluding, but not limited to, education, financial transactions, medical history, and criminal or employment history\nand information which can be used to distinguish or trace an individual\'s identity, such as their name, social security\nnumber, date and place of birth, mother\xe2\x80\x99s maiden name, biometric records, etc., including any other personal\ninformation which is linked or linkable to an individual. Source: OMB Memorandum M-06-19, \xe2\x80\x9cReporting\nIncidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency\nInformation Technology Investments,\xe2\x80\x9d dated July 12, 2006\n\n\n                                                          23\n\x0c        \xe2\x80\xa2    Adequate controls were not in place to restrict access to sensitive network and\n             security information on several systems,\n\n        \xe2\x80\xa2    Not all vulnerabilities on targeted HUD workstations were patched,\n\n        \xe2\x80\xa2    User accounts inactive for more than 90 days were not disabled or removed, and\n\n        \xe2\x80\xa2    Configurations were not adequately set to limit access to HUD\xe2\x80\x99s internal network.\n\n        If proper access controls are not in place, there is no assurance that HUD would be able\n        to protect against the unauthorized disclosure, modification, or destruction of the data\n        residing in these systems.\n\n\n\n                          Unisys Performance and Security Controls\n        HUD has not implemented sufficient controls over its Unisys 2200 Operating System and\n        is not in full compliance with applicable federal laws and guidelines. Based on our\n        review, we determined the following areas need to be addressed:\n\n        \xe2\x80\xa2    We found that HUD does not have a technical baseline7 that specifically addresses\n             security controls for its Unisys 2200 operating systems, and the security plan is not\n             current. Specifically: (1) HUD follows a security technical implementation guide that\n             has not been tailored to the HUD environment; (2) the vendor security checklist8 has\n             not been approved, is incomplete, and does not provide detailed guidance to\n             implement HUD\xe2\x80\x99s policy and procedures in regard to the Unisys operating systems;\n             and (3) the system security plan is not current.\n\n        \xe2\x80\xa2    HUD\xe2\x80\x99s security log management process needs improvement. Without adequate\n             security log management process controls in place, HUD cannot maintain an\n             inclusive history of events and it will not be able to effectively perform audits and\n             forensic and operational trend analyses, or identify long-term problems, all of which\n             could help establish or improve security controls.\n\n        \xe2\x80\xa2    User access controls over the Unisys mainframe general support systems do not\n             adequately protect the systems from unauthorized modification, disclosure, loss, or\n             loss of data.\n\n\n\n\n7\n  National Institute of Standards and Technology Special Publications 800-70, \xe2\x80\x9cSecurity Configuration Checklists\nProgram for IT Products \xe2\x80\x93 Guidance for Checklists Users and Developers.\xe2\x80\x9d states that the checklist environment\nsupports baseline technical security practices which are based on commonly accepted technical security principles\nand practices, catalogued in various NIST Special Publications.\n8\n  A security configuration checklist (sometimes referred to as a lockdown guide, hardening guide, security guide,\nsecurity technical implementation guide [STIG], or benchmark) is essentially a document that contains instructions\nor procedures for configuring an IT product to an operational environment.\n\n\n                                                        24\n\x0c          \xe2\x80\xa2   The system file that supports the System for Tape Administration and Reporting\n              (STAR-1100)9 is not adequately protected from unauthorized modifications. The\n              STAR-1100 is crucial for systems that are not considered mission critical because\n              they rely on the backup tapes to restore their data.\n\n\n\n                                         HUD Procurement System\n\n          In fiscal year 2006, we reported that the HUD Procurement System and HUD Small\n          Purchase System lacked sufficient financial data to effectively manage and monitor\n          procurement transactions. Adequate controls had not been established to ensure that: (1)\n          all parties to an acquisition transaction were identified; (2) users did not exceed their\n          procurement authority; and (3) only users with procurement authority were authorizing\n          the recording of the obligation of funds within the system interface with HUDCAPS.\n          Additionally, the Office of the Chief Procurement Officer was bypassing certain built-in\n          separation of duties controls within the HPS such that application and system\n          administrator personnel were inappropriately performing security administration\n          functions. We also reported that HUD\xe2\x80\x99s Office of the Chief Procurement Officer had not\n          designed or implemented information security controls or ensured that its information\n          security responsibilities were fulfilled as required by FISMA and HUD\xe2\x80\x99s information\n          technology security policies and procedures. An OIG audit report detailing these\n          problems was issued January 25, 2007.10\n\n          In our follow up review of the reported weaknesses, we determined that HUD has made\n          progress in implementing effective controls over its procurement system. For instance,\n          HUD issued a policy memorandum requiring a contracting officer to validate all contract\n          data in both the HUD Procurement System and HUD Small Purchase System, as well as\n          the contract obligations in HUDCAPS. HUD also administratively separated the security\n          and system administration functions. Additionally, HUD designated a manager to\n          assume responsibility for ensuring the Office of the Chief Procurement Officer\xe2\x80\x99s\n          compliance with federal certification and accreditation process requirements and to\n          provide \xe2\x80\x9ccontinuous monitoring\xe2\x80\x9d of the office\xe2\x80\x99s information systems security. However,\n          additional work is needed to ensure that all parties to an acquisition transaction are\n          identified, and that all information technology security responsibilities are fulfilled.\n\n\n\n                                       HUD\xe2\x80\x99s Financial Systems\n          As part of our review of HUD\'s information systems controls in support of the fiscal year\n          2007 financial statements audit, we evaluated information security controls over\n\n9\n  STAR-1100 is a commercial product that provides automated tape management capabilities. It manages backup\ntapes for applications and general support systems. Features include tape inventory, scratch and clean functions,\nvault management for off-site purposes, an interface with automated cartridge systems (robotic silos), and a variety\nof management reports.\n10\n     Audit Report No. 2007-DP-0003, Review of HUD\xe2\x80\x99s Procurement Systems\n\n\n                                                         25\n\x0cHUDCAPS, LOCCS and the Financial Data Mart, three of HUD\xe2\x80\x99s financial systems. We\nidentified control weaknesses that could negatively affect the integrity, confidentiality,\nand availability of computerized financial data.\n\n                                     LOCCS\n\nWe found that the controls over the LOCCS user recertification process were not\neffective to verify the access of all users. Systemic deficiencies led to the omission of\nmore than 10,000 users from the LOCCS recertification process. An additional 199 users\nhad last recertification dates within the application prior to March 31, 2006, indicating\nthat they also were not included in the fiscal year 2007 recertification process.\n\n                                    HUDCAPS\n\nThe Office of the Chief Financial Officer granted two contractors/developers above\nREAD access to the HUDCAPS production data stored within the mainframe\nenvironment without documenting either their acceptance of the risks associated with or\nthe justification for this access level. The documentation to support this access was not\nmaintained by the system owner, and acceptance of the risks associated with this access\nlevel was not documented in the system security plan. Additionally, neither of the two\ndevelopers received the required level of background investigation. One developer\nreceived only a minimum background investigation. The other developer was not\ninvestigated at all.\n\n                               Financial DataMart\n\nThe Office of the Chief Financial Officer identified and reported that an unauthorized\nindividual had access to sensitive data that was not needed to perform assigned duties. In\nJune 2007, it was determined that an unauthorized individual was accessing production\ndata from the Financial DataMart using an application\xe2\x80\x99s login ID and password. In\naddition, the password assigned to the application login ID did not conform to HUD\xe2\x80\x99s\npassword policy.\n\nAll users with access to the HUD Web can access and generate reports containing\nproprietary financial data maintained within the Financial DataMart. The Financial\nDataMart contains proprietary financial data related to HUD and its business partners.\nThe Financial DataMart also contains personally identifiable information such as names,\naddresses, social security numbers, and bank account numbers. Although the Office of\nthe Chief Financial Officer identified the users that required access to the data, they did\nnot limit access to only those individuals. In addition, the Office of the Chief Financial\nOfficer did not adequately assess the risk associated with providing unlimited access to\nproprietary financial data.\n\n\n                    IBM Mainframe z/OS Operating System\n\nDuring our fiscal year 2006 review of HUD\'s information systems controls in support of\nthe financial statements audit, we found that HUD had not implemented sufficient\n\n\n                                         26\n\x0c        controls over the IBM mainframe z/OS operating system. For example, HUD had not:\n        (1) appropriately implemented physical and logical security controls over the IBM\n        mainframe operating system computer consoles; (2) ensured that the most powerful\n        administrative authority was assigned only to HUD and contractor personnel who\n        required this privilege to perform their jobs; (3) properly managed the powerful top secret\n        administrator account; and (4) ensured effective communication between the vendor\n        supporting the IBM mainframe, HUD information technology management, and program\n        offices regarding IBM operation service disruptions.\n\n        In our follow up review of the reported weaknesses, we determined that HUD has taken\n        steps to ensure effective communications with regard to IBM operation service\n        disruptions. Additionally, HUD has completed the implementation of physical and\n        logical security controls over the IBM mainframe operating system computer consoles.\n        However, more work is needed to ensure that the most powerful administrative authority\n        is restricted to only those persons who require it to perform their duties, and that the\n        administrator account is properly managed.\n\n\n                                Software Configuration Management\n\n        During our fiscal year 2006 review of HUD\'s information systems controls in support of\n        the financial statements audit, we reviewed HUD\xe2\x80\x99s configuration management11 controls\n        to determine whether they were in place and used for all changes. We identified\n        weaknesses in the administration of the configuration management tool used for the HUD\n        Procurement System. Specifically, (1) release procedures used were not being performed\n        correctly, (2) administrators on the Unix operating system had inappropriate access\n        privileges to the procurement system, and (3) the configuration management plan had not\n        been officially approved and included obsolete and incomplete information.\n        Additionally, we found that improvements were needed to ensure that: (1) duties for the\n        administration of HUD\xe2\x80\x99s configuration management tools were properly segregated, (2)\n        the configuration management function was adequately supported, and (3) configuration\n        management procedural documentation clearly specified the roles and responsibilities for\n        personnel supporting the configuration management function.\n\n        HUD has made progress in implementing controls to resolve the reported weaknesses.\n        Specifically: (1) configuration management procedural documentation was updated to\n        clearly define the roles and responsibilities for personnel supporting the configuration\n        management function, and department directors were informed of their roles and\n        responsibilities; (2) a verification of Unix and Windows administrator privileges was\n        performed; and, (3) weekly new release coordination meetings are now being held, and\n        status reports of weekly releases are prepared. However, our review indicated that\n        weaknesses remain in the areas of support for the Department-wide configuration\n        management function, procurement system configuration management plan, and\n        procurement system release procedures.\n\n\n11\n  Configuration management is the control and documentation of changes made to a system\xe2\x80\x99s hardware, software\nand documentation throughout the development and operational life of the system.\n\n\n                                                      27\n\x0cFor fiscal year 2007, we reviewed the configuration management plans for several\nFederal Housing Administration applications and found that the plans lacked or contained\noutdated information for the areas of user access maintenance, configuration management\nuser access verification and deactivation, obsolete module control, and emergency release\nprocedure. We also identified additional weaknesses specific to each configuration\nmanagement plan reviewed. Details of this finding will be included in our report for our\nfiscal year 2007 Review of Information Systems Controls in Support of the Financial\nStatements Audit.\n\n\n\n                    Contingency Planning and Preparedness\n\nHUD continues to strive to make progress and has taken corrective actions to implement\ncontrols for contingency planning and preparedness. We determined that HUD has taken\nactions to improve its information technology contingency planning process, including:\n(1) training, drafting guidance, reviewing system contingency plans, and coordinating\nwith systems owners to ensure that plans reflect current conditions; (2) developing\ncontingency plans for 92 of 101 major applications; (3) completing 90 risk assessments;\nand (4) completion of business impact analyses for all systems. However, our review of\nthe disaster recovery plan for the contractor-operated data center facility indicates that the\nlisting of mission critical applications has not yet been updated. A contract modification\nis required to update the listing of mission critical applications. This is expected to be\ncompleted by December 31, 2007.\n\n\n                                 Physical Security\n\nDuring our fiscal year 2006 review of HUD\'s information systems controls in support of\nthe financial statements audit, we found that physical security controls for HUD facilities\nwere generally in place at the network operations center and the data center, both\nmaintained by two different contractors. However, we identified three areas of concern\nrequiring management attention: (1) the contractor did not conduct required annual\nshelter-in-place drills at the data center, (2) documentation for the network operations\ncenter was not current, and (3) access controls at both computer facilities needed to be\ntightened.\n\nIn our follow up review of the previously reported weaknesses, we determined that the\ncontractor began performing the shelter-in-place drill annually at the data center. We\nalso determined that the contractor updated its risk assessment documents, security plan\nand its physical layout diagram to reflect the current conditions of systems and facilities.\nHowever, while access controls improved at one contractor location, at another location\nwe found that 11 persons were granted access to the computer room without clear\njustification. After we brought this to the contractor\xe2\x80\x99s attention, we were informed that\nthe unnecessary access was removed.\n\n\n\n\n                                         28\n\x0c       Additional Actions are Needed to Fully Implement Required Information Security\n       Controls\n\n       HUD has not fully implemented the required information security controls needed to\n       ensure that its financial systems, data, and assets are adequately protected. In the course\n       of conducting our reviews this year, we determined that some retired employees retained\n       access to systems and sensitive information due to a lack of compliance with HUD\xe2\x80\x99s\n       information security policies. HUD had not complied with department information\n       security policies or procedures to ensure that these employees access to sensitive data\n       was revoked. While we not able to find evidence that any line items, accounts, or\n       transactions were altered or systems were compromised; Federal statutes, requirements,\n       and HUD security policies were violated. In this instance, we found that HUD was not in\n       compliance with the following information system security control families:\n\n              \xe2\x80\xa2       Access Controls\n              \xe2\x80\xa2       Audit and Accountability\n              \xe2\x80\xa2       Identification and Authentication\n              \xe2\x80\xa2       Personnel Security\n\n       Without these controls being fully implemented HUD financial systems are at risk and\n       the security over them compromised. We intend to complete our review and issue a\n       separate report on information security controls in fiscal year 2008.\n\n\n\nSignificant Deficiency: Weak Personnel Security Practices Continue to Pose\nRisks of Unauthorized Access to the Department\xe2\x80\x99s Critical Financial Systems\nFor several years, we have reported that HUD\xe2\x80\x99s personnel security practices over access to\ncritical and sensitive systems have been inadequate. Various deficiencies in HUD\xe2\x80\x99s information\ntechnology personnel security program were found and recommendations were proposed to\ncorrect the problems noted. However, the risk of unauthorized access to HUD\xe2\x80\x99s financial\nsystems remains a critical issue. We followed up on previously reported information technology\npersonnel security weaknesses and deficiencies and found that deficiencies still exist.\nSpecifically:\n\n   \xe2\x80\xa2   In prior years, OIG recommended that HUD develop an action plan to fully implement\n       the HUD Online User Registration System to ensure that all user data are tracked and\n       require system administrators to register users and their access level into this database. In\n       response, HUD implemented the Centralized HUD Account Management Process\n       (CHAMP) to serve as a data repository and a workflow management component of the\n       service desk to ensure requests are forwarded in the proper order to all organizations that\n       have a part in approving or assigning user account rights and privileges. This was a\n       positive step toward enabling reconciliation between user access records and the\n       background investigation records maintained by HUD personnel security. However,\n       CHAMP is not a database as recommended, but a repository that contains user requests.\n\n\n                                                29\n\x0c    In addition, it only contains data from help desk service tickets processed since January\n    2007. Legacy data processed prior to this time is being gathered from different sources\n    and manually entered into CHAMP. HUD hopes to have all legacy data entered into\n    CHAMP by September 2008.\n\n\xe2\x80\xa2   HUD has developed interim procedures to reconcile CHAMP information with the\n    database that contains background investigation data for all employees and contractors.\n    This reconciliation process is intended to identify users with potentially unauthorized or\n    inappropriate access levels to HUD\xe2\x80\x99s systems (e.g. users granted above-read access\n    without the appropriate background check). However, the reconciliation is tedious and\n    cannot identify all users because it is a manual process, and because CHAMP does not\n    contain all user data including legacy data. As a result, some unauthorized users may\n    escape detection.\n\n\xe2\x80\xa2   Reconciliations to identify users with above-read (query) access to HUD mission-critical\n    (sensitive) applications but without appropriate background checks are being routinely\n    conducted. However, the general support systems on which these mission-critical\n    applications reside are not included in the reconciliations because they are not classified\n    as mission-critical. Having access to general support systems typically includes access to\n    system tools, which provide the means to modify data and network configurations. We\n    identified information technology personnel, such as database administrators and network\n    engineers, who have access to these types of system tools, but do not have appropriate\n    background checks. These persons were not identified as part of the CHAMP\n    reconciliation process because they do not have above-read access to mission-critical\n    applications.\n\n\n\n\n                                            30\n\x0c                    Compliance with Laws and Regulations\n\n\nHUD Did Not Substantially Comply with the Federal Financial Management\nImprovement Act\nFFMIA requires auditors to report whether the agency\xe2\x80\x99s financial management systems\nsubstantially comply with the Federal financial management systems requirements, applicable\naccounting standards, and support the U.S. Standard General Ledger (SGL) at the transaction\nlevel. We found that HUD was not in substantial compliance with FFMIA because HUD\xe2\x80\x99s\nfinancial management system did not substantially comply with (1) Federal Financial\nManagement System Requirement and (2) Federal Accounting Standards.\n\nDuring fiscal year 2007, the Department continued to address its financial management\ndeficiencies and took steps to bring the agency\xe2\x80\x99s financial management systems into compliance\nwith Federal Financial Management Improvement Act (FFMIA). However, HUD was unable to\ncomplete any of the planned fiscal year 2007 independent reviews of its financial management\nsystems to verify compliance with financial system requirements, identify system and procedural\nweaknesses, and develop the corrective actions to address identified weaknesses. During fiscal\nyear 2007, HUD did complete three independent reviews that were planned and initiated in fiscal\nyear 2006, as well as one unscheduled review.\n\n\n     Federal Financial Management System\n     Requirements\n\n              In its Fiscal Year 2007 Performance and Accountability Report, HUD reports that\n              2 of its 42 financial management systems do not comply with the requirements of\n              the FFMIA and OMB Circular A-127, Financial Management Systems. Even\n              though 40 individual systems have been certified as compliant with federal\n              financial management systems requirements, collectively and in the aggregate,\n              deficiencies still exist.\n\n              FHA\xe2\x80\x99s auditor reports as a material weakness that FHA\xe2\x80\x99s systems for processing\n              Home Equity Conversion Mortgage transactions need improvement. We also\n              report as a significant deficiency that HUD Financial Management Systems Need\n              to Comply with Federal Financial Management Systems Requirements. The\n              material weakness and significant deficiency address how FHA and HUD\xe2\x80\x99s\n              financial management systems remain substantially noncompliant with federal\n              financial management requirements.\n\n              We continue to report as significant deficiencies that (1) Controls over HUD\xe2\x80\x99s\n              Computing Environment Can Be Further Strengthened and (2) Weak Personnel\n              Security Practices Continue to Pose Risks of Unauthorized Access to the\n              Department\xe2\x80\x99s Critical Financial Systems. These significant deficiencies discuss\n              how weaknesses with general controls and certain application controls, and weak\n\n\n                                              31\n\x0c               security management increase risks associated with safeguarding funds, property,\n               and assets from waste, loss, unauthorized use or misappropriation.\n\n               In addition, OIG audit reports have disclosed that security over financial\n               information was not provided in accordance with OMB Circular A-130\n               Management of Federal Information Resources, Appendix III and the FISMA.\n\n       Compliance with federal\n       accounting standards\n\n               FHA\xe2\x80\x99s auditor reported a material weakness with respect to the HECM program\n               credit subsidy cash flow model. The model contained improper calculations\n               relating to terminated note recoveries and was not compliant with federal\n               accounting standards regarding OMB discounting requirements for cash flow\n               models for direct loan and loan guarantee programs.\n\nWe have included the specific nature of noncompliance issues, responsible program offices and\nrecommended remedial actions in Appendix C of this report.\n\n\n                                         Other Matters\n\nHUD\xe2\x80\x99s Office of the Chief Financial Officer is responsible for investigating and reporting on\nviolations of the Anti-deficiency Act. As of the conclusion of this audit, the Office of Chief\nFinancial Officer was investigating 25 potential Antideficiency Act violations. The Chief\nFinancial Officer made determinations that four cases that occurred during the period 2002\nthrough 2004 are Antideficiency Act violations that warrant reporting to the President, Congress,\nand GAO. Two additional cases were under consideration for reporting. As of the date of our\nreport, no violations have been reported.\n\nOMB Bulletin No. 07-04 requires that we report on discrepancies between management and\nindependent auditors regarding material weaknesses on internal control over reporting that is not\ndisclosed in the Agency\xe2\x80\x99s Performance and Accountability Report. HUD and FHA disagreed\nwith the independent auditor\xe2\x80\x99s assessment that the first two weaknesses in internal controls over\nfinancial reporting described above were material weaknesses. The Department and FHA\nreported no material weaknesses when reporting on the Federal Managers\xe2\x80\x99 Financial Integrity\nAct in their Fiscal Year 2007 Performance and Accountability Report and the FHA Fiscal Year\n2007 Annual Management Report, respectively.\n\n\n\n\n                                               32\n\x0cAPPENDIXES\n\nAppendix A\n                      Objectives, Scope, and Methodology\n\nManagement is responsible for\n\n   \xe2\x80\xa2   Preparing the principal financial statements in conformity with generally accepted\n       accounting principles;\n   \xe2\x80\xa2   Establishing, maintaining and evaluating internal controls and systems to provide\n       reasonable assurance that the broad objectives of Federal Managers\xe2\x80\x99 Financial Integrity\n       Act are met; and\n   \xe2\x80\xa2   Complying with applicable laws and regulations.\n\nIn auditing HUD\xe2\x80\x99s principal financial statements, we were required by Government Auditing\nStandards to obtain reasonable assurance about whether HUD\xe2\x80\x99s principal financial statements\nare free of material misstatements and presented fairly in accordance with generally accepted\naccounting principles. We believe that our audit provides a reasonable basis for our opinion.\n\nIn planning our audit of HUD\xe2\x80\x99s principal financial statements, we considered internal controls\nover financial reporting by obtaining an understanding of the design of HUD\xe2\x80\x99s internal controls,\ndetermined whether these internal controls had been placed in operation, assessed control risk,\nand performed tests of controls to determine our auditing procedures for the purpose of\nexpressing our opinion on the principal financial statements and not to provide assurance on the\ninternal control over financial reporting. Consequently, we do not provide an opinion on internal\ncontrols. We also tested compliance with selected provisions of applicable laws and regulations\nthat may materially affect the consolidated principal financial statements. Providing an opinion\non compliance with selected provisions of laws and regulations was not an objective and,\naccordingly, we do not express such an opinion.\n\nWe considered HUD\xe2\x80\x99s internal control over Required Supplementary Stewardship Information\nreported in HUD\xe2\x80\x99s Fiscal Year 2007 Performance and Accountability Report by obtaining an\nunderstanding of the design of HUD\xe2\x80\x99s internal controls, determined whether these internal\ncontrols had been placed in operation, assessed control risk, and performed tests of controls as\nrequired by OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements and not\nto provide assurance on these internal controls. Accordingly, we do not provide assurance on\nsuch controls.\n\nWith respect to internal controls related to performance measures to be reported in the\nManagement\xe2\x80\x99s Discussion and Analysis and HUD\xe2\x80\x99s Fiscal Year 2007 Performance and\nAccountability Report, we obtained an understanding of the design of significant internal\ncontrols relating to the existence and completeness assertions, as required by OMB Bulletin\n07-04. Our procedures were not designed to provide assurance on internal control over reported\nperformance measures and, accordingly, we do not provide an opinion on such controls.\n\n\n\n\n                                               33\n\x0cTo fulfill these responsibilities, we\n\n   \xe2\x80\xa2   Examined, on a test basis, evidence supporting the amounts and disclosures in the\n       consolidated principal financial statements;\n   \xe2\x80\xa2   Assessed the accounting principles used and the significant estimates made by\n       management;\n   \xe2\x80\xa2   Evaluated the overall presentation of the consolidated principal financial statements;\n   \xe2\x80\xa2   Obtained an understanding of internal controls over financial reporting, executing\n       transactions in accordance with budget authority, compliance with laws and regulations,\n       and safeguarding assets;\n   \xe2\x80\xa2   Tested and evaluated the design and operating effectiveness of relevant internal controls\n       over significant cycles, classes of transactions, and account balances;\n   \xe2\x80\xa2   Tested HUD\xe2\x80\x99s compliance with certain provisions of laws and regulations,\n       noncompliance with which could have a direct and material effect on the determination\n       of financial statement amounts and certain other laws and regulations specified in OMB\n       Bulletin 07-04, including the requirements referred to in the Federal Managers\xe2\x80\x99 Financial\n       Integrity Act;\n   \xe2\x80\xa2   Considered compliance with the process required by the Federal Managers\xe2\x80\x99 Financial\n       Integrity Act for evaluating and reporting on internal control and accounting systems; and\n   \xe2\x80\xa2   Performed other procedures we considered necessary in the circumstances.\n\nWe did not evaluate the internal controls relevant to operating objectives as broadly defined by\nthe Federal Managers\xe2\x80\x99 Financial Integrity Act. We limited our internal control testing to those\ncontrols that are material in relation to HUD\xe2\x80\x99s financial statements. Because of inherent\nlimitations in any internal control structure, misstatements may nevertheless occur and not be\ndetected. We also caution that projection of any evaluation of the structure to future periods is\nsubject to the risk that procedures may become inadequate because of changes in conditions or\nthat the effectiveness of the design and operation of policies and procedures may deteriorate.\n\nOur consideration of the internal controls over financial reporting would not necessarily disclose\nall matters in the internal controls over financial reporting that might be significant deficiencies.\nWe noted certain matters in the internal control structure and its operation that we consider\nsignificant deficiencies under OMB Bulletin 07-04. Under standards issued by the American\nInstitute of Certified Public Accountants, a significant deficiency is a deficiency in internal\ncontrol, or a combination of deficiencies, that adversely affects HUD\xe2\x80\x99s ability to initiate,\nauthorize, record, process, or report financial data reliably in accordance with generally accepted\naccounting principles such that there is more than a remote likelihood that a misstatement of the\nentity\xe2\x80\x99s financial statements that is more than inconsequential will not be prevented or detected.\n\nA material weakness is a significant deficiency, or combination of significant deficiencies, that\nresult in a more than remote likelihood that a material misstatement of the financial statements\nwill not be prevented or detected.\n\nOur work was performed in accordance with generally accepted Government Auditing Standards\nand OMB Bulletin 07-04.\n\nThis report is intended solely for the use of HUD management, OMB and the Congress.\nHowever, this report is a matter of public record and its distribution is not limited.\n\n\n                                                 34\n\x0cAppendix B\n                                   Recommendations\n\n\n\nTo facilitate tracking recommendations in the Audit Resolution and Corrective Action Tracking\nSystem, this appendix lists the newly developed recommendations resulting from our report on\nHUD\xe2\x80\x99S fiscal year 2007 financial statements. Also listed are recommendations from prior years\xe2\x80\x99\nreports that have not been fully implemented. This appendix does not include recommendations\npertaining to FHA and Ginnie Mae issues because they are tracked under separate financial\nstatement audit reports of that entity.\n\n                     Recommendations from the Current Report\nWith respect to the significant deficiency that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the Chief Financial Officer in coordination with the\nappropriate program offices:\n\n       1.a.   Deobligate $342.3 million of excess unexpended funds identified as a result of the\n              fiscal year 2007 financial statement audit.\n\n       1.b.   Improve the quarterly contract reconciliation procedure currently being\n              implemented by performing periodic reviews of subsidiary ledgers to ensure that\n              Section 236 obligations reported are valid and can be more accurately estimated\n              and reported.\n\n       1.c.   Implement a periodic review of terminated Rent Supplement and Rental\n              Assistance Payments projects to ensure changes in contract status are timely\n              identified and excess undisbursed contract authority is recaptured in a timely\n              manner.\n\nWith respect to the significant deficiency that HUD needs to improve its budgeting and funds\ncontrol over section 8 project-based contracts, we recommend that the Assistant Secretary for\nHousing in coordination with the Chief Financial Officer and the Chief Information Officer:\n\n       2.a    Develop a long-term financial management system solution to streamline and\n              automate the overall Section 8 project-based budgeting, payment, and contract\n              management process.\n\n       2.b    Consider revising current Section 8 Project-base recapture methodology to\n              include recapturing funds from expired Section 8 contracts occurring in the\n              current fiscal year. We found that HUD could have recaptured up to $580 million\n              from these expired contracts, in lieu of recapturing funds from active long-term\n              contracts.\n\n\n\n                                               35\n\x0c       2.c.   Perform a detail review to ensure that PAS data on Section 8 project-based\n              contracts used to compute obligation balances is accurate and reliable.\n\n\n\n         Unimplemented Recommendations from Prior Years\xe2\x80\x99 Reports\n\nNot included in the recommendations listed above are recommendations from prior years\xe2\x80\x99\nreports on the Department\xe2\x80\x99s financial statements that have not been fully implemented based on\nthe status reported in the Audit Resolution and Corrective Action Tracking System. The\nDepartment should continue to track these under the prior years\xe2\x80\x99 report numbers in accordance\nwith departmental procedures. Each of these open recommendations and its status is shown\nbelow. Where appropriate, we have updated the prior recommendations to reflect changes in\nemphasis resulting from recent work or management decisions.\n\nOIG Report Number 2004-FO-0003 (Fiscal Year 2003 Financial Statements)\n\nWith respect to the reportable condition that controls over project-based subsidy payments need\nto be improved, we recommend that the Deputy Assistant Secretary for Multifamily Housing in\ncoordination with Financial Management Center Director:\n\n       3.a.   Initiate corrective action to address the underlying causes for the erroneous\n              payment resulting from billing errors, such as the intermediaries\xe2\x80\x99 failure to\n              accurately report or maintain required subsidy determination documentation, and\n              bookkeeping and procedural errors. (Final action target date is October 15, 2007.)\n\n       3b.    Establish controls over the HUD-administered project-based Section 8 payment\n              process at FMC to comply with Title VII of the GAO Policy and Procedures\n              Manual for Guidance of Federal Agencies. (Final action target date is October\n              15, 2007.)\n\n       3.c.   Establish criteria to enforce the accuracy of the data submitted through TRACS.\n              (Final action target date is October 15, 2007.)\n\nOIG Report Number 2007-FO-0003 (Fiscal Year 2006 Financial Statements)\n\nWith respect to the reportable condition that HUD needs to improve the process for reviewing\nobligation balances, we recommend that the Chief Financial Officer in coordination with the\nappropriate program offices:\n\n       1.a.   Deobligate all excess unexpended funds identified as a result of the fiscal year\n              2006 audit of financial statements. (Final action target date is October 31, 2007)\n\n\n\n\n                                               36\n\x0cAppendix C\n\nFederal Financial Management Improvement Act Noncompliance,\nResponsible Program Offices, and Recommended Remedial Actions\n\nThis Appendix provides details required under Federal Financial Management Improvement Act\n(FFMIA) reporting requirements. To meet those requirements, we performed tests of\ncompliance using the implementation guidance for FFMIA issued by OMB and GAO\xe2\x80\x99s Financial\nAudit Manual. The results of our tests disclosed that HUD\xe2\x80\x99s systems did not substantially\ncomply with the foregoing requirements. In addition, we found noncompliance with federal\naccounting standards. The details for our basis of reporting substantial noncompliance,\nresponsible parties, primary causes and the Department\xe2\x80\x99s intended remedial actions are included\nin the following sections.\n\nFederal Financial Management Systems Requirements\n1. HUD\xe2\x80\x99s annual assurance statement issued pursuant to Section 4 of the Financial Manager\xe2\x80\x99s\nIntegrity Act, will report two non-conforming systems12.\n\n          The organizations responsible for systems that were found not to comply with the\n          requirements of OMB Circular A-127 based on the Department\xe2\x80\x99s assessments are as\n          follows:\n\n      Responsible Office                               Number of Systems     Non-conforming Systems\n      Office of Housing                                       19                        0\n      Office of Chief Financial Officer                       15                        0\n      Office of Administration                                 2                        0\n      Office of Chief Procurement Officer                      2                        2\n      Office of Community Planning and Development             2                        0\n      Office of Public and Indian Housing                      1                        0\n      Government National Mortgage Association                 1                        0\n      Totals                                                  42                        2\n\n\n\n\n12\n     The two-nonconforming systems are: A35-HUD Procurement System and P035-Small Purchase System.\n\n\n                                                     37\n\x0c     The following section outlines the Department\xe2\x80\x99s plan to correct noncompliance with OMB\n     Circular A-127.\n\n                           Office of the Chief Procurement Officer\n\n                           A35 HUD Procurement Systems (HPS)\n                            P035 Small Purchase System (SPS)\n\n  Noncompliance Issue(s)                           Tasks/Steps                              Target Dates   Completion\n                                             (including Milestones)                                          Dates\nINTERNAL CONTROLS\n                            Intermediate Resolution Plan\n\n1. HUD\xe2\x80\x99s Procurement        1A Review transactions of the four contracting officers         COMPLETED      COMPLETED\n   Systems Do Not Have         who input records in excess of their contract authority\n   Adequate Controls for       and take actions as appropriate.\n   Monitoring the               \xe2\x80\xa2 OCPO researched the transactions in question to           12/23/2006     12/14/2006\n   Procurement Process            determine if the obligations were appropriate or\n                                  not.\n                                \xe2\x80\xa2 OCPO determined that the transactions were                3/31/2007      12/14/2006\n                                  properly executed by contracting officers acting\n                                  within their authority. No further action is\n                                  necessary.\n\n                            1B   Implement system controls to ensure that contracting\n                                 officers are not able to exceed their procurement\n                                 authority.\n                                  \xe2\x80\xa2 The OCPO will implement procurement authority           3/31/2007\n                                     control procedures.                                    Revised to\n                                                                                            12/31/2007\n                                  \xe2\x80\xa2 The OCPO will include validation of contracting\n                                                                                            Commencing     1/08/2007\n                                    officer authority as part of each Procurement\n                                                                                            1/8/2007       On-Going\n                                    Management Review.\n\n                            1C   Implement controls to ensure that contracting officers     COMPLETED      COMPLETED\n                                 are required to either input or approve all transactions\n                                 that record funds through the HUDCAPS interfaces.\n                                  \xe2\x80\xa2 The OCPO will implement procedural controls to\n                                     require contracting officers to validate               4/30/2007      4/25/2007\n                                     transactions in HPS.\n\n                            1D Modify the systems to make the contracting officer field\n                               mandatory.\n                                \xe2\x80\xa2 The OPOC will implement procedures for\n                                  electronic records, which are recorded in HPS, are        4/30/2007\n                                  reviewed to ensure that a Contracting Officer is          Revised to\n                                  identified for each record.                               12/31/2007\n                                \xe2\x80\xa2 The OCPO will implement validation of the\n                                  contracting officer identification as part of each        4/30/2007\n                                  Procurement Management Review. \xe2\x80\x93 See 1B                   Revised to\n                                  bullet 2 above. Validation of contracting                 12/31/2007\n                                  authority is the same as implementation of task.\n\n\n\n                                                  38\n\x0c  Noncompliance Issue(s)                            Tasks/Steps                          Target Dates   Completion\n                                              (including Milestones)                                      Dates\n                            NOTE: OCPO is in the process of conducting a cost\n                            benefit analysis, whose outcome will determine the best\n                            course of action in implementing system changes or\n                            replacing systems.\n\n2. HUD Procurement          2A Ensure that system administration and security            COMPLETED      COMPLETED\n   Systems\xe2\x80\x99 Separation of      administration functions are separate.\n   Duties Controls Were          \xe2\x80\xa2 The OPCO will formally appoint separate               4/16/2007      05/01/2007\n   Bypassed                        individuals to act as security administrator and\n                                   system administrator for each OCPO system and\n                                   that the individuals will not be performing\n                                   conflicting duties.\n\n                            2B Ensure that staff is not assigned conflicting duties,\n                                                                                         COMPLETED      COMPLETED\n                               that separate functions are performed by separate\n                               individuals, and that the concept of least privilege is\n                               applied.\n                                 \xe2\x80\xa2      OCPO will determine if multiple system\n                                    profiles are actually a valid requirement on an\n                                    individual basis in HPS. The goal is to eliminate\n                                    unnecessary and redundant profiles in HPS and\n                                    that the individuals will not be performing\n                                    conflicting duties.\n                                        o The OCPO will identify users with\n                                                                                         2/15/2007      12/21/2006\n                                             multiple HPS profiles\n                                        o The OCPO will deactivate\n                                                                                         07/31/2007     07/19/2007\n                                             unnecessary/redundant profiles\n\n                            NOTE: While we can separate the duties procedurally, the\n                            separation cannot be enforced in HPS or SPS without\n                            reprogramming.\n\n                            2C Implement formal policies and procedures to               COMPLETED      COMPLETED\n                               recertify the access granted to users at least an [sic]\n                               annually.\n                                 \xe2\x80\xa2 The OCPO will develop and implement formal\n                                   procedures for granting access by using the\n                                   concept of least privilege to OCPO systems, as\n                                   well as annual user access reviews by:\n                                        o Revise system access request forms             1/31/2007      12/31/2006\n                                        o Revise process in which user requests          2/28/2007      1/31/2007\n                                            system access\n                                        o Revise procedure in which system               3/31/2007      1/31/2007\n                                            access is granted\n                                        o Develop formal procedure to enforce            06/30/2007     07/18/2007\n                                            annual user access review\n\n                            2D Create and implement routing functionality within\n                               the Small Purchase System to allow users to be\n                               granted access to more than one office or region.\n                                   \xe2\x80\xa2 OCPO recommends implementing the\n                                       following tasks to alleviate the routing issue.\n                                       OCPO will determine if multiple SPS system\n                                       profiles are actually a valid requirement on\n                                       an individual basis. The goal is to eliminate\n\n\n\n                                                 39\n\x0c  Noncompliance Issue(s)                                  Tasks/Steps                             Target Dates   Completion\n                                                    (including Milestones)                                         Dates\n                                               all unnecessary and redundant profiles in\n                                               SPS.\n                                               o The OCPO will identify users with                2/15/2007\n                                                    multiple SPS profiles\n                                               o The OCPO will restructure the issuing            8/31/2007      12/21/2006\n                                                    office hierarchy to alleviate the necessity   Revised to\n                                                    of multiple profiles for a given user.        11/30/2007\n\n                                  NOTE: OCPO is in the process of conducting a cost\n                                  benefit analysis, whose outcome will determine the best\n                                  course of action in implementing system changes or\n                                  replacing systems.\n\n3. HUD\xe2\x80\x99s Procurement              3A Perform a cost benefit analysis to determine whether it\n   Systems Do Not Contain            is more advantageous to modify or replace the\n   Sufficient Financial Data to      procurement systems to ensure compliance with Joint\n   Allow It to Effectively           Federal    Management        Improvement      Program\n   Manage and Monitor                Requirements.\n   Procurement Transactions           \xe2\x80\xa2 The OCPO will perform a cost benefit analysis to          05/31/2007\n                                        replace the OCPO systems.                                 Revised to\n                                                                                                  01/31/2008\n                                  3B   Implement functionality to ensure that there is\n                                       sufficient information within HUD\xe2\x80\x99s procurement\n                                       systems to support the primary acquisition functions of\n                                       fund certification, obligation, deobligation, payment,\n                                       and closeout.\n                                           \xe2\x80\xa2 Based on the availability of funds, OCPO will\n                                                replace its systems with COTS software to\n                                                ensure found issues with internal and security\n                                                controls are addressed.\n                                           \xe2\x80\xa2 MILESTONES \xe2\x80\x93 NOT LATER THAN\n                                                \xe2\x80\xa2 Develop Independent Government                  5/4/2007       05/03/2007\n                                                     Estimate\n                                                \xe2\x80\xa2 Conduct Market Research                         04/6/2007      04/06/2007\n                                                \xe2\x80\xa2 Source Selection                                TBD\n                                                                                                  10/01/2008\n                                                \xe2\x80\xa2 Roll-out pilot of production system\n\n                                  NOTE: OCPO is in the process of conducting a cost\n                                  benefit analysis, whose outcome will determine the best\n                                  course of action in implementing system changes or\n                                  replacing systems.\nSECURITY CONTROLS\n4. The Office of the Chief        4A Obtain the training and/or resources necessary to\n   Procurement Officer Did           develop or perform compliant (1) information system\n   Not Design or Implement           categorization analyses; (2) risk assessments; (3)\n   Required Information              security plans; (4) contingency plans and tests; (5)\n   Security Controls                 monitoring processes, which include applicable Federal\n                                     Information Processing Standards Publication 200\n                                     managerial, operational, and technical information\n                                     security controls; and (6) evaluations of the managerial,\n                                     operational, and technical security controls.\n\n                                        \xe2\x80\xa2    OCPO will ensure that training or other resources\n                                             are obtained to develop or perform required\n\n\n\n                                                        40\n\x0cNoncompliance Issue(s)                          Tasks/Steps                             Target Dates   Completion\n                                          (including Milestones)                                         Dates\n                                   managerial, operational, and technical security\n                                   controls.                                            12/31/2008\n                                   \xc2\xb0 Update Risk Assessments                            12/31/2008\n                                   \xc2\xb0 Update Security Plans                              12/31/2008\n                                   \xc2\xb0 Update Contingency Plans and tests;\n                                                                                        TBD based\n                                   \xc2\xb0 Monitoring processes, which include                on\n                                       applicable Federal Information Processing        coordination\n                                       Standards (FIPS) Publication 200                 with OCIO\n                                       managerial, operational, and technical\n                                       information security controls; and               TBD based\n                                   \xc2\xb0 Evaluations of the managerial, operational, and    on\n                                       technical security controls.                     coordination\n                                                                                        with OCIO\n                         4B   Complete the corrective actions for the known open\n                              information security vulnerabilities or develop\n                              mitigation strategies if new system development is\n                              underway.\n                               \xe2\x80\xa2 OCPO will ensure it develops mitigation\n                                    strategies for the known open information\n                                    security vulnerabilities.\n                                  \xc2\xb0 Review vulnerabilities\n                                  \xc2\xb0 Develop mitigation strategy                         4/30/2008\n                                                                                        7/31/2008\n                         4C   Designate a manager to assume responsibility for\n                              ensuring the Office of the Chief Procurement Officer\xe2\x80\x99s\n                                                                                        COMPLETED      COMPLETED\n                              compliance with federal certification and accreditation\n                              process requirements and to provide \xe2\x80\x9ccontinuous\n                              monitoring\xe2\x80\x9d of the office\xe2\x80\x99s information systems\n                              security.\n                               \xe2\x80\xa2 OCPO will designate a manager responsible for\n                                    ensuring compliance with information systems        1/15/2007      03/13/2007\n                                    security and federal certification and\n                                    accreditation process.\n                               \xe2\x80\xa2 OCPO will work with OCIO to define roles and\n                                    responsibilities and to ensure that appropriate     2/1/2007       2/1/2007\n                                    resources are provided to perform required\n                                    monitoring and certification and accreditation.\n\n\n\n\n                                              41\n\x0cNoncompliance Issue(s)                          Tasks/Steps                             Target Dates   Completion\n                                          (including Milestones)                                         Dates\n                         4D Reevaluate the HUD Procurement System and Small\n                            Purchase System application systems\xe2\x80\x99 security\n                            categorization in light of OMB guidance on personally\n                            identifiable information.\n                             \xe2\x80\xa2 OCPO will reevaluate the HUD Procurement\n                                  System and Small Purchase System application          8/31/2007\n                                  systems\xe2\x80\x99 security categorization in light of OMB      Revised to\n                                  guidance on personal identifiable information.        11/30/2007\n\n                         4E   Perform a Business Impact Analysis (BCA) for the\n                              procurement systems. Based on the results of the\n                              impact analysis, determine what actions HUD can take\n                              to limit the amount of time needed to recover from the\n                              various levels of contingencies that can occur and\n                              include the determined actions in the contingency plans\n                              for the systems.\n                               \xe2\x80\xa2 OCPO will develop a business impact analysis\n                                    for the procurement systems and revise the\n                                    contingency plan based on the BIA.\n                                    \xc2\xb0 Develop business impact analyses\n                                    \xc2\xb0 Incorporate BIA into contingency plans\n                                                                                        4/30/2007      05/04/2007\n                                                                                        9/30/2007\n                         Note: OCPO is in process of conduction a cost benefit          Revised to\n                         analysis, whose outcome will determine the best course of      1/31/2008\n                         action in implementing system changes or replacing the\n                         systems.\n\n\n\n\n                                              42\n\x0c2. FHA\xe2\x80\x99s auditor disclosed a material weakness and our audit disclosed significant\ndeficiencies regarding the security over financial information. Similar conditions have also\nbeen noted in other OIG audit reports. We are including security issues as a basis for\nnoncompliance with FFMIA because of the collective effect of the issue and\nnoncompliance with Circular A-130, Appendix 3 and the Federal Information Security\nManagement Act (FISMA). The responsible office, nature of the problem, and primary\ncauses are summarized below:\n\nResponsible Office        Nature of the Problem\n\nOffice of Housing and     FHA\xe2\x80\x99s systems for processing Home Equity Conversion Mortgage (HECM)\nCIO                       transactions need improvement.\n\n                          FHA maintains a number of different system platforms for processing\n                          HECM endorsements, premiums, claims and notes. These systems are not\n                          automatically integrated and require significant compensating manual\n                          controls to ensure the accuracy and reliability of financial information being\n                          reported in the general ledger. They are not compliant with federal loan\n                          financial management system requirements and are not compliant with\n                          federal information technology security requirements, including regulations\n                          for the safeguarding of personally identifiable information.\n\nThese conditions occurred because HUD\xe2\x80\x99s management does not consistently enforce policies and\nprocedures.\n\nOffice of Housing and     FHA system security controls need improvement.\nCIO\n                          FHA has not yet implemented a federal information security risk\n                          management framework in accordance with federal standards. FHA\xe2\x80\x99s\n                          information system security officer did not have authority and processes in\n                          place to ensure FHA system security met Federal and Departmental\n                          requirements. FHA program offices and system owners also did not fully\n                          understand their system security responsibilities. FHA has also not yet\n                          resolved a number of system vulnerabilities that result in weakened controls\n                          over financial system data.\n\nThese conditions occurred because HUD\xe2\x80\x99s management does not consistently enforce policies and\nprocedures, and also because an ineffective organizational authority, insufficient staff resources, and\ninadequate training.\n\nOffice of Chief           Weaknesses exist in HUD\xe2\x80\x99s entity-wide security program. Specifically:\nInformation Officer\n                          In fiscal year 2007, HUD made significant changes to two general support\n                          systems; however, HUD did not perform a full test of the implemented\n                          security controls. Further, HUD did not perform a security impact\n                          assessment on these changes or update related security documents to\n                          reflect these changes.\n\n                          HUD placed systems into production before they were fully certified and\n                          accredited, and before a comprehensive assessment of the management,\n                          operational and technical controls in the systems was completed.\n\n\n                                               43\n\x0cResponsible Office       Nature of the Problem\n\n\n                         HUD did not ensure that all non-major applications were covered by the\n                         certification and accreditation of the underlying general support system,\n                         and did not document the additional required security controls for these\n                         non-major applications.\n\n                         HUD\xe2\x80\x99s major applications still have many delayed weaknesses with no\n                         corrective action plan and/or new projected completion dates. There are\n                         weaknesses that remain open since fiscal year 2003.\n\n                         HUD\xe2\x80\x99s Office of Information Technology Security identified 195 HUD\n                         systems that require an e-authentication risk assessment. However, HUD\n                         program offices and system owners have not completed e-authentication\n                         risk assessments for 149 systems, of which 33 are financial management\n                         systems.\n\n                         HUD has not fully implemented all technical controls required by the\n                         OMB to protect personally identifiable information\n\n                         HUD has not disconnected obsolete systems from HUD\xe2\x80\x99s network and\n                         removed these systems from HUD\xe2\x80\x99s inventory of automated systems in a\n                         timely manner. We also noted that system owners did not include a\n                         system in HUD\xe2\x80\x99s inventory of automated systems even though the system\n                         contains personally identifiable information.\n\n                         HUD did not ensure that systems containing personally identifiable\n                         information were categorized as moderate or high-risk impact level and\n                         did not report every incident involving personally identifiable information\n                         to the United States Computer Emergency Readiness Team (US-CERT)\n                         within one hour of discovering the incident.\n\nThese conditions occurred because HUD\xe2\x80\x99s management does not consistently enforce policies and\nprocedures.\n\nOffice of Chief          A number of weaknesses in HUD\xe2\x80\x99s network security were found during a\nInformation Officer      vulnerability assessment performed by the OIG. Specifically:\n\n                         Adequate controls were not in place to restrict access to sensitive\n                         network and security information on several systems,\n\n                         Not all vulnerabilities on targeted HUD workstations were patched,\n\n                         User accounts inactive for more than 90 days were not disabled or\n                         removed,                                                     and\n\n                         Configurations were not adequately set to limit access to HUD\xe2\x80\x99s internal\n                         network.\nThese conditions occurred because HUD\xe2\x80\x99s management does not consistently enforce policies and\nprocedures.\n\n\n\n                                            44\n\x0cResponsible Office      Nature of the Problem\n\nOffice of Chief         We found that HUD does not have a technical baseline that specifically\nInformation Officer     addresses security controls for its Unisys 2200 operating systems, and the\n                        security plan is not current. Specifically: (1) HUD follows a security\n                        technical implementation guide that has not been tailored to the HUD\n                        environment; (2) the vendor security checklist has not been approved, is\n                        incomplete, and does not provide detailed guidance to implement HUD\xe2\x80\x99s\n                        policy and procedures in regard to the Unisys operating systems; and (3)\n                        the system security plan is not current.\n\n                        HUD\xe2\x80\x99s security log management process needs improvement. Without\n                        adequate security log management process controls in place, HUD cannot\n                        maintain an inclusive history of events and it will not be able to effectively\n                        perform audits and forensic and operational trend analyses, or identify\n                        long-term problems, all of which could help establish or improve security\n                        controls.\n\n                        User access controls over the Unisys mainframe general support systems\n                        do not adequately protect the systems from unauthorized modification,\n                        disclosure,        loss,        or         loss        of         data.\n\n                        The system file that supports the System for Tape Administration and\n                        Reporting (STAR-1100) is not adequately protected from unauthorized\n                        modifications. The STAR-1100 is crucial for systems that are not considered\n                        mission critical because they rely on the backup tapes to restore their data.\n\nThese conditions occurred because HUD\xe2\x80\x99s management does not consistently enforce policies and\nprocedures.\n\nOffice of Chief         Control weaknesses still exist for HUD Procurement System (HPS) and\nProcurement Officer     HUD Small Purchase System (SPS), specifically:\n\n                        Additional work is needed to ensure that all parties to an acquisition\n                        transaction are identified, and that all information technology security\n                        responsibilities are fulfilled.\n\n\n\nThese conditions occurred because HUD\xe2\x80\x99s management does not consistently enforce FISMA and\nHUD\xe2\x80\x99s information technology security policies and procedures.\n\nOffice of Chief         We found that the controls over the LOCCS user recertification process\nInformation Officer     were not effective to verify the access of all users. Systemic deficiencies\nand Office of the       led to the omission of more than 10,000 users from the LOCCS\nChief Financial         recertification process. An additional 199 users had last recertification\nOfficer                 dates within the application prior to March 31, 2006, indicating that they\n                        also were not included in the fiscal year 2007 recertification process.\n\n                        The Office of the Chief Financial Officer granted two\n                        contractors/developers above READ access to the HUDCAPS production\n                        data stored within the mainframe environment without documenting either\n                        their acceptance of the risks associated with or the justification for this\n\n\n                                            45\n\x0cResponsible Office        Nature of the Problem\n\n                          access level. The documentation to support this access was not maintained\n                          by the system owner, and acceptance of the risks associated with this\n                          access level was not documented in the system security plan.\n                          Additionally, neither of the two developers received the required level of\n                          background investigation. One developer received only a minimum\n                          background investigation. The other developer was not investigated at all.\n\n                          The Office of the Chief Financial Officer identified and reported that an\n                          unauthorized individual had access to sensitive data that was not needed to\n                          perform assigned duties. In June 2007, it was determined that an\n                          unauthorized individual was accessing production data from the Financial\n                          DataMart using an application\xe2\x80\x99s login ID and password. In addition, the\n                          password assigned to the application login ID did not conform to HUD\xe2\x80\x99s\n                          password policy.\n\n                          All users with access to the HUD Web can access and generate reports\n                          containing proprietary financial data maintained within the Financial\n                          DataMart. The Financial DataMart contains proprietary financial data related\n                          to HUD and its business partners. The Financial DataMart also contains\n                          personally identifiable information such as names, addresses, social security\n                          numbers, and bank account numbers. Although the Office of the Chief\n                          Financial Officer identified the users that required access to the data, they did\n                          not limit access to only those individuals. In addition, the Office of the Chief\n                          Financial Officer did not adequately assess the risk associated with providing\n                          unlimited access to proprietary financial data.\n\nThese conditions occurred because HUD\xe2\x80\x99s management does not consistently enforce policies and\nprocedures.\n\nOffice of Chief           HUD has not implemented sufficient controls over the IBM mainframe z/OS\nInformation Officer       operating system to ensure that the most powerful administrative authority is\n                          restricted to only those persons who require it to perform their duties, and\n                          that the administrator account is properly managed.\n\nThese conditions occurred because management does not consistently enforce policies and procedures.\n\nOffice of Housing         Our review of software configuration management indicated that\n                          weaknesses remain in the areas of support for the Department-wide\n                          configuration management function, procurement system configuration\n                          management plan, and procurement system release procedures.\n\n                          For fiscal year 2007, we reviewed the configuration management plans for\n                          several FHA applications and found that the plans lacked or contained\n                          outdated information for the areas of user access maintenance, configuration\n                          management user access verification and deactivation, obsolete module\n                          control, and emergency release procedure. We also identified additional\n                          weaknesses specific to each configuration management plan reviewed.\n\nThese conditions occurred because management does not consistently enforce policies and procedures.\n\n\n\n\n                                               46\n\x0cResponsible Office         Nature of the Problem\n\nOffice of Chief            Our review of the disaster recovery plan for the contractor-operated data\nInformation Officer        center facility indicates that the listing of mission critical applications has not\n                           yet been updated.\n\nThis condition exists because a contract modification is required to update the listing of mission critical\napplications. This is expected to be completed by December 31, 2007.\n\nOffice of Chief            While access controls improved at one contractor location, at another\nInformation Officer        location we found that 11 persons were granted access to the computer room\n                           without clear justification.\n\nThis condition occurred because management does not consistently enforce policies and procedures.\n\nOffice of Chief            Personnel security weaknesses still exist, specifically:\nInformation Officer\n                           In prior years, OIG recommended that HUD develop an action plan to\n                           fully implement the HUD Online User Registration System to ensure that\n                           all user data are tracked and require system administrators to register users\n                           and their access level into this database. In response, HUD implemented\n                           the Centralized HUD Account Management Process (CHAMP) to serve as\n                           a data repository and a workflow management component of the service\n                           desk to ensure requests are forwarded in the proper order to all\n                           organizations that have a part in approving or assigning user account rights\n                           and privileges. This was a positive step toward enabling reconciliation\n                           between user access records and the background investigation records\n                           maintained by HUD personnel security. However, CHAMP is not a\n                           database as recommended, but a repository that contains user requests. In\n                           addition, it only contains data from help desk service tickets processed\n                           since January 2007. Legacy data processed prior to this time is being\n                           gathered from different sources and manually entered into CHAMP. HUD\n                           hopes to have all legacy data entered into CHAMP by September 2008.\n\n                           HUD has developed interim procedures to reconcile CHAMP information\n                           with the database that contains background investigation data for all\n                           employees and contractors. This reconciliation process is intended to identify\n                           users with potentially unauthorized or inappropriate access levels to HUD\xe2\x80\x99s\n                           systems (e.g. users granted above-read access without the appropriate\n                           background check). However, the reconciliation is tedious and cannot\n                           identify all users because it is a manual process, and because CHAMP does\n                           not contain all user data including legacy data. As a result, some\n                           unauthorized users may escape detection.\n\n\n\n\n                                                47\n\x0cResponsible Office        Nature of the Problem\n\nOffice of Chief           Reconciliations to identify users with above-read (query) access to HUD\nInformation Officer       mission-critical (sensitive) applications but without appropriate background\n                          checks are being routinely conducted. However, the general support systems\n                          on which these mission-critical applications reside are not included in the\n                          reconciliations because they are not classified as mission-critical. Having\n                          access to general support systems typically includes access to system tools,\n                          which provide the means to modify data and network configurations. We\n                          identified information technology personnel, such as database administrators\n                          and network engineers, who have access to these types of system tools, but\n                          do not have appropriate background checks. These persons were not\n                          identified as part of the CHAMP reconciliation process because they do not\n                          have above-read access to mission-critical applications.\n\n\nThese conditions occurred because CHAMP currently does not include all legacy data processed prior to\nthis time. The legacy data is being gathered from different sources and manually entered into CHAMP.\nHUD hopes to have all legacy data entered into CHAMP by September 2008. However, user access\nlevels for general support systems are not included in the CHAMP reconciliation process because\ngeneral support systems are not classified as mission-critical.\n\n\n\n\n                                              48\n\x0c                          Federal Accounting Standards\n\nA material weakness was reported by the FHA\xe2\x80\x99s auditor with respect to the HECM program\ncredit subsidy cash flow model. The model contained improper calculations relating to\nterminated note recoveries and was not compliant with federal accounting standards\nregarding OMB discounting requirements for cash flow models for direct loan and loan\nguarantee programs. FHA adjusted the financial statements to reflect the material\nadjustments to the related Liability for Guaranteed Loans caused by the error.\n\n\n\n\n                                        49\n\x0cAppendix D\n\n                SCHEDULE OF QUESTIONED COSTS\n                 AND FUNDS PUT TO BETTER USE\n\n Recommendation          Ineligible 1/    Unsupported     Unreasonable or       Funds Put to\n       Number                                      2/      Unnecessary 3/       Better Use 4/\n             1.a.                                                                    $342.3M\n             2.b.                                                                    $580.0M\n\n\n1/   Ineligible costs are costs charged to a HUD-financed or HUD-insured program or activity\n     that the auditor believes are not allowable by law, contract or federal, state or local\n     polices or regulations.\n\n2/   Unsupported costs are those costs charged to a HUD-financed or HUD-insured program\n     or activity where we cannot determine eligibility at the time of audit. Unsupported costs\n     require a future decision by HUD program officials. This decision, in addition to\n     obtaining supporting documentation, might involve a legal interpretation or clarification\n     of departmental policies and procedures.\n\n3/   Unnecessary/Unreasonable costs are those costs not generally recognized as ordinary,\n     prudent, relevant, and or necessary within established practices. Unreasonable costs\n     exceed the costs that would be incurred by a prudent person in conducting a competitive\n     business.\n\n4/   Recommendations that funds be put to better use are estimates of amounts that could be\n     used more efficiently if an Office of Inspector General (OIG) recommendation is\n     implemented. This includes reductions in outlays, deobligation of funds, withdrawal of\n     interest subsidy costs not incurred by implementing recommended improvements,\n     avoidance of unnecessary expenditures noted in preaward reviews, and any other savings\n     which are specifically identified.\n\n\n\n\n                                             50\n\x0cAppendix E\n             Agency Comments\n\n\n\n\n                  51\n\x0c52\n\x0c53\n\x0c       Appendix F\n\n            OIG EVALUATION OF AGENCY COMMENTS\n\nDue to time constrains, we did not formally respond to each of the Department\xe2\x80\x99s comments on\nour draft report. However, we did consider their response along with informal comments in\nfinalizing our report.\n\n\n\n\n                                             54\n\x0c'